Docs Home
Packages
Splunk v1.2.10 published on Wednesday, Sep 18, 2024 by Pulumi
splunk.SavedSearches
Explore with Pulumi AI
# Resource: splunk.SavedSearches
Create and manage saved searches.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as splunk from "@pulumi/splunk";
const savedSearch = new splunk.SavedSearches("saved_search", {
name: "Test New Alert",
search: "index=main",
actions: "email",
actionEmailFormat: "table",
actionEmailMaxTime: "5m",
actionEmailMaxResults: 10,
actionEmailSendResults: false,
actionEmailSubject: "Splunk Alert: $name$",
actionEmailTo: "splunk@splunk.com",
actionEmailTrackAlert: true,
dispatchEarliestTime: "rt-15m",
dispatchLatestTime: "rt-0m",
cronSchedule: "*/5 * * * *",
acl: {
owner: "admin",
sharing: "app",
app: "launcher",
},
});
import pulumi
import pulumi_splunk as splunk
saved_search = splunk.SavedSearches("saved_search",
name="Test New Alert",
search="index=main",
actions="email",
action_email_format="table",
action_email_max_time="5m",
action_email_max_results=10,
action_email_send_results=False,
action_email_subject="Splunk Alert: $name$",
action_email_to="splunk@splunk.com",
action_email_track_alert=True,
dispatch_earliest_time="rt-15m",
dispatch_latest_time="rt-0m",
cron_schedule="*/5 * * * *",
acl={
"owner": "admin",
"sharing": "app",
"app": "launcher",
})
package main
import (
"github.com/pulumi/pulumi-splunk/sdk/go/splunk"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := splunk.NewSavedSearches(ctx, "saved_search", &splunk.SavedSearchesArgs{
Name: pulumi.String("Test New Alert"),
Search: pulumi.String("index=main"),
Actions: pulumi.String("email"),
ActionEmailFormat: pulumi.String("table"),
ActionEmailMaxTime: pulumi.String("5m"),
ActionEmailMaxResults: pulumi.Int(10),
ActionEmailSendResults: pulumi.Bool(false),
ActionEmailSubject: pulumi.String("Splunk Alert: $name$"),
ActionEmailTo: pulumi.String("splunk@splunk.com"),
ActionEmailTrackAlert: pulumi.Bool(true),
DispatchEarliestTime: pulumi.String("rt-15m"),
DispatchLatestTime: pulumi.String("rt-0m"),
CronSchedule: pulumi.String("*/5 * * * *"),
Acl: &splunk.SavedSearchesAclArgs{
Owner: pulumi.String("admin"),
Sharing: pulumi.String("app"),
App: pulumi.String("launcher"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Splunk = Pulumi.Splunk;
return await Deployment.RunAsync(() =>
{
var savedSearch = new Splunk.SavedSearches("saved_search", new()
{
Name = "Test New Alert",
Search = "index=main",
Actions = "email",
ActionEmailFormat = "table",
ActionEmailMaxTime = "5m",
ActionEmailMaxResults = 10,
ActionEmailSendResults = false,
ActionEmailSubject = "Splunk Alert: $name$",
ActionEmailTo = "splunk@splunk.com",
ActionEmailTrackAlert = true,
DispatchEarliestTime = "rt-15m",
DispatchLatestTime = "rt-0m",
CronSchedule = "*/5 * * * *",
Acl = new Splunk.Inputs.SavedSearchesAclArgs
{
Owner = "admin",
Sharing = "app",
App = "launcher",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.splunk.SavedSearches;
import com.pulumi.splunk.SavedSearchesArgs;
import com.pulumi.splunk.inputs.SavedSearchesAclArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var savedSearch = new SavedSearches("savedSearch", SavedSearchesArgs.builder()
.name("Test New Alert")
.search("index=main")
.actions("email")
.actionEmailFormat("table")
.actionEmailMaxTime("5m")
.actionEmailMaxResults(10)
.actionEmailSendResults(false)
.actionEmailSubject("Splunk Alert: $name$")
.actionEmailTo("splunk@splunk.com")
.actionEmailTrackAlert(true)
.dispatchEarliestTime("rt-15m")
.dispatchLatestTime("rt-0m")
.cronSchedule("*/5 * * * *")
.acl(SavedSearchesAclArgs.builder()
.owner("admin")
.sharing("app")
.app("launcher")
.build())
.build());
}
}
resources:
savedSearch:
type: splunk:SavedSearches
name: saved_search
properties:
name: Test New Alert
search: index=main
actions: email
actionEmailFormat: table
actionEmailMaxTime: 5m
actionEmailMaxResults: 10
actionEmailSendResults: false
actionEmailSubject: 'Splunk Alert: $name$'
actionEmailTo: splunk@splunk.com
actionEmailTrackAlert: true
dispatchEarliestTime: rt-15m
dispatchLatestTime: rt-0m
cronSchedule: '*/5 * * * *'
acl:
owner: admin
sharing: app
app: launcher
Create SavedSearches Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SavedSearches(name: string, args: SavedSearchesArgs, opts?: CustomResourceOptions);@overload
def SavedSearches(resource_name: str,
args: SavedSearchesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SavedSearches(resource_name: str,
opts: Optional[ResourceOptions] = None,
search: Optional[str] = None,
acl: Optional[SavedSearchesAclArgs] = None,
action_create_xsoar_incident: Optional[str] = None,
action_create_xsoar_incident_param_custom_fields: Optional[str] = None,
action_create_xsoar_incident_param_details: Optional[str] = None,
action_create_xsoar_incident_param_incident_name: Optional[str] = None,
action_create_xsoar_incident_param_occurred: Optional[str] = None,
action_create_xsoar_incident_param_send_all_servers: Optional[str] = None,
action_create_xsoar_incident_param_server_url: Optional[str] = None,
action_create_xsoar_incident_param_severity: Optional[str] = None,
action_create_xsoar_incident_param_type: Optional[str] = None,
action_email_auth_password: Optional[str] = None,
action_email_auth_username: Optional[str] = None,
action_email_bcc: Optional[str] = None,
action_email_cc: Optional[str] = None,
action_email_command: Optional[str] = None,
action_email_format: Optional[str] = None,
action_email_from: Optional[str] = None,
action_email_hostname: Optional[str] = None,
action_email_include_results_link: Optional[int] = None,
action_email_include_search: Optional[int] = None,
action_email_include_trigger: Optional[int] = None,
action_email_include_trigger_time: Optional[int] = None,
action_email_include_view_link: Optional[int] = None,
action_email_inline: Optional[bool] = None,
action_email_mailserver: Optional[str] = None,
action_email_max_results: Optional[int] = None,
action_email_max_time: Optional[str] = None,
action_email_message_alert: Optional[str] = None,
action_email_message_report: Optional[str] = None,
action_email_pdfview: Optional[str] = None,
action_email_preprocess_results: Optional[str] = None,
action_email_report_cid_font_list: Optional[str] = None,
action_email_report_include_splunk_logo: Optional[bool] = None,
action_email_report_paper_orientation: Optional[str] = None,
action_email_report_paper_size: Optional[str] = None,
action_email_report_server_enabled: Optional[bool] = None,
action_email_report_server_url: Optional[str] = None,
action_email_send_csv: Optional[int] = None,
action_email_send_pdf: Optional[bool] = None,
action_email_send_results: Optional[bool] = None,
action_email_subject: Optional[str] = None,
action_email_to: Optional[str] = None,
action_email_track_alert: Optional[bool] = None,
action_email_ttl: Optional[str] = None,
action_email_use_ssl: Optional[bool] = None,
action_email_use_tls: Optional[bool] = None,
action_email_width_sort_columns: Optional[bool] = None,
action_jira_service_desk_param_account: Optional[str] = None,
action_jira_service_desk_param_jira_customfields: Optional[str] = None,
action_jira_service_desk_param_jira_description: Optional[str] = None,
action_jira_service_desk_param_jira_issue_type: Optional[str] = None,
action_jira_service_desk_param_jira_priority: Optional[str] = None,
action_jira_service_desk_param_jira_project: Optional[str] = None,
action_jira_service_desk_param_jira_summary: Optional[str] = None,
action_pagerduty_custom_details: Optional[str] = None,
action_pagerduty_integration_key: Optional[str] = None,
action_pagerduty_integration_key_override: Optional[str] = None,
action_pagerduty_integration_url: Optional[str] = None,
action_pagerduty_integration_url_override: Optional[str] = None,
action_populate_lookup_command: Optional[str] = None,
action_populate_lookup_dest: Optional[str] = None,
action_populate_lookup_hostname: Optional[str] = None,
action_populate_lookup_max_results: Optional[int] = None,
action_populate_lookup_max_time: Optional[int] = None,
action_populate_lookup_track_alert: Optional[bool] = None,
action_populate_lookup_ttl: Optional[str] = None,
action_rss_command: Optional[str] = None,
action_rss_hostname: Optional[str] = None,
action_rss_max_results: Optional[int] = None,
action_rss_max_time: Optional[int] = None,
action_rss_track_alert: Optional[bool] = None,
action_rss_ttl: Optional[str] = None,
action_script_command: Optional[str] = None,
action_script_filename: Optional[str] = None,
action_script_hostname: Optional[str] = None,
action_script_max_results: Optional[int] = None,
action_script_max_time: Optional[int] = None,
action_script_track_alert: Optional[bool] = None,
action_script_ttl: Optional[str] = None,
action_slack_param_attachment: Optional[str] = None,
action_slack_param_channel: Optional[str] = None,
action_slack_param_fields: Optional[str] = None,
action_slack_param_message: Optional[str] = None,
action_slack_param_webhook_url_override: Optional[str] = None,
action_snow_event_param_account: Optional[str] = None,
action_snow_event_param_additional_info: Optional[str] = None,
action_snow_event_param_ci_identifier: Optional[str] = None,
action_snow_event_param_custom_fields: Optional[str] = None,
action_snow_event_param_description: Optional[str] = None,
action_snow_event_param_node: Optional[str] = None,
action_snow_event_param_resource: Optional[str] = None,
action_snow_event_param_severity: Optional[int] = None,
action_snow_event_param_type: Optional[str] = None,
action_summary_index_command: Optional[str] = None,
action_summary_index_hostname: Optional[str] = None,
action_summary_index_inline: Optional[bool] = None,
action_summary_index_max_results: Optional[int] = None,
action_summary_index_max_time: Optional[int] = None,
action_summary_index_name: Optional[str] = None,
action_summary_index_track_alert: Optional[bool] = None,
action_summary_index_ttl: Optional[str] = None,
action_webhook_param_url: Optional[str] = None,
actions: Optional[str] = None,
alert_comparator: Optional[str] = None,
alert_condition: Optional[str] = None,
alert_digest_mode: Optional[bool] = None,
alert_expires: Optional[str] = None,
alert_severity: Optional[int] = None,
alert_suppress: Optional[bool] = None,
alert_suppress_fields: Optional[str] = None,
alert_suppress_period: Optional[str] = None,
alert_threshold: Optional[str] = None,
alert_track: Optional[bool] = None,
alert_type: Optional[str] = None,
allow_skew: Optional[str] = None,
auto_summarize: Optional[bool] = None,
auto_summarize_command: Optional[str] = None,
auto_summarize_cron_schedule: Optional[str] = None,
auto_summarize_dispatch_earliest_time: Optional[str] = None,
auto_summarize_dispatch_latest_time: Optional[str] = None,
auto_summarize_dispatch_time_format: Optional[str] = None,
auto_summarize_dispatch_ttl: Optional[str] = None,
auto_summarize_max_disabled_buckets: Optional[int] = None,
auto_summarize_max_summary_ratio: Optional[float] = None,
auto_summarize_max_summary_size: Optional[int] = None,
auto_summarize_max_time: Optional[int] = None,
auto_summarize_suspend_period: Optional[str] = None,
auto_summarize_timespan: Optional[str] = None,
cron_schedule: Optional[str] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
dispatch_buckets: Optional[int] = None,
dispatch_earliest_time: Optional[str] = None,
dispatch_index_earliest: Optional[str] = None,
dispatch_index_latest: Optional[str] = None,
dispatch_indexed_realtime: Optional[bool] = None,
dispatch_indexed_realtime_minspan: Optional[int] = None,
dispatch_indexed_realtime_offset: Optional[int] = None,
dispatch_latest_time: Optional[str] = None,
dispatch_lookups: Optional[bool] = None,
dispatch_max_count: Optional[int] = None,
dispatch_max_time: Optional[int] = None,
dispatch_reduce_freq: Optional[int] = None,
dispatch_rt_backfill: Optional[bool] = None,
dispatch_rt_maximum_span: Optional[int] = None,
dispatch_spawn_process: Optional[bool] = None,
dispatch_time_format: Optional[str] = None,
dispatch_ttl: Optional[str] = None,
display_view: Optional[str] = None,
is_scheduled: Optional[bool] = None,
is_visible: Optional[bool] = None,
max_concurrent: Optional[int] = None,
name: Optional[str] = None,
realtime_schedule: Optional[bool] = None,
request_ui_dispatch_app: Optional[str] = None,
request_ui_dispatch_view: Optional[str] = None,
restart_on_searchpeer_add: Optional[bool] = None,
run_on_startup: Optional[bool] = None,
schedule_priority: Optional[str] = None,
schedule_window: Optional[str] = None,
vsid: Optional[str] = None,
workload_pool: Optional[str] = None)func NewSavedSearches(ctx *Context, name string, args SavedSearchesArgs, opts ...ResourceOption) (*SavedSearches, error)public SavedSearches(string name, SavedSearchesArgs args, CustomResourceOptions? opts = null)
public SavedSearches(String name, SavedSearchesArgs args)
public SavedSearches(String name, SavedSearchesArgs args, CustomResourceOptions options)
type: splunk:SavedSearches
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SavedSearchesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SavedSearchesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SavedSearchesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SavedSearchesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SavedSearchesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var savedSearchesResource = new Splunk.SavedSearches("savedSearchesResource", new()
{
Search = "string",
Acl = new Splunk.Inputs.SavedSearchesAclArgs
{
App = "string",
CanChangePerms = false,
CanShareApp = false,
CanShareGlobal = false,
CanShareUser = false,
CanWrite = false,
Owner = "string",
Reads = new[]
{
"string",
},
Removable = false,
Sharing = "string",
Writes = new[]
{
"string",
},
},
ActionCreateXsoarIncident = "string",
ActionCreateXsoarIncidentParamCustomFields = "string",
ActionCreateXsoarIncidentParamDetails = "string",
ActionCreateXsoarIncidentParamIncidentName = "string",
ActionCreateXsoarIncidentParamOccurred = "string",
ActionCreateXsoarIncidentParamSendAllServers = "string",
ActionCreateXsoarIncidentParamServerUrl = "string",
ActionCreateXsoarIncidentParamSeverity = "string",
ActionCreateXsoarIncidentParamType = "string",
ActionEmailAuthPassword = "string",
ActionEmailAuthUsername = "string",
ActionEmailBcc = "string",
ActionEmailCc = "string",
ActionEmailCommand = "string",
ActionEmailFormat = "string",
ActionEmailFrom = "string",
ActionEmailHostname = "string",
ActionEmailIncludeResultsLink = 0,
ActionEmailIncludeSearch = 0,
ActionEmailIncludeTrigger = 0,
ActionEmailIncludeTriggerTime = 0,
ActionEmailIncludeViewLink = 0,
ActionEmailInline = false,
ActionEmailMailserver = "string",
ActionEmailMaxResults = 0,
ActionEmailMaxTime = "string",
ActionEmailMessageAlert = "string",
ActionEmailMessageReport = "string",
ActionEmailPdfview = "string",
ActionEmailPreprocessResults = "string",
ActionEmailReportCidFontList = "string",
ActionEmailReportIncludeSplunkLogo = false,
ActionEmailReportPaperOrientation = "string",
ActionEmailReportPaperSize = "string",
ActionEmailReportServerEnabled = false,
ActionEmailReportServerUrl = "string",
ActionEmailSendCsv = 0,
ActionEmailSendPdf = false,
ActionEmailSendResults = false,
ActionEmailSubject = "string",
ActionEmailTo = "string",
ActionEmailTrackAlert = false,
ActionEmailTtl = "string",
ActionEmailUseSsl = false,
ActionEmailUseTls = false,
ActionEmailWidthSortColumns = false,
ActionJiraServiceDeskParamAccount = "string",
ActionJiraServiceDeskParamJiraCustomfields = "string",
ActionJiraServiceDeskParamJiraDescription = "string",
ActionJiraServiceDeskParamJiraIssueType = "string",
ActionJiraServiceDeskParamJiraPriority = "string",
ActionJiraServiceDeskParamJiraProject = "string",
ActionJiraServiceDeskParamJiraSummary = "string",
ActionPagerdutyCustomDetails = "string",
ActionPagerdutyIntegrationKey = "string",
ActionPagerdutyIntegrationKeyOverride = "string",
ActionPagerdutyIntegrationUrl = "string",
ActionPagerdutyIntegrationUrlOverride = "string",
ActionPopulateLookupCommand = "string",
ActionPopulateLookupDest = "string",
ActionPopulateLookupHostname = "string",
ActionPopulateLookupMaxResults = 0,
ActionPopulateLookupMaxTime = 0,
ActionPopulateLookupTrackAlert = false,
ActionPopulateLookupTtl = "string",
ActionRssCommand = "string",
ActionRssHostname = "string",
ActionRssMaxResults = 0,
ActionRssMaxTime = 0,
ActionRssTrackAlert = false,
ActionRssTtl = "string",
ActionScriptCommand = "string",
ActionScriptFilename = "string",
ActionScriptHostname = "string",
ActionScriptMaxResults = 0,
ActionScriptMaxTime = 0,
ActionScriptTrackAlert = false,
ActionScriptTtl = "string",
ActionSlackParamAttachment = "string",
ActionSlackParamChannel = "string",
ActionSlackParamFields = "string",
ActionSlackParamMessage = "string",
ActionSlackParamWebhookUrlOverride = "string",
ActionSnowEventParamAccount = "string",
ActionSnowEventParamAdditionalInfo = "string",
ActionSnowEventParamCiIdentifier = "string",
ActionSnowEventParamCustomFields = "string",
ActionSnowEventParamDescription = "string",
ActionSnowEventParamNode = "string",
ActionSnowEventParamResource = "string",
ActionSnowEventParamSeverity = 0,
ActionSnowEventParamType = "string",
ActionSummaryIndexCommand = "string",
ActionSummaryIndexHostname = "string",
ActionSummaryIndexInline = false,
ActionSummaryIndexMaxResults = 0,
ActionSummaryIndexMaxTime = 0,
ActionSummaryIndexName = "string",
ActionSummaryIndexTrackAlert = false,
ActionSummaryIndexTtl = "string",
ActionWebhookParamUrl = "string",
Actions = "string",
AlertComparator = "string",
AlertCondition = "string",
AlertDigestMode = false,
AlertExpires = "string",
AlertSeverity = 0,
AlertSuppress = false,
AlertSuppressFields = "string",
AlertSuppressPeriod = "string",
AlertThreshold = "string",
AlertTrack = false,
AlertType = "string",
AllowSkew = "string",
AutoSummarize = false,
AutoSummarizeCommand = "string",
AutoSummarizeCronSchedule = "string",
AutoSummarizeDispatchEarliestTime = "string",
AutoSummarizeDispatchLatestTime = "string",
AutoSummarizeDispatchTimeFormat = "string",
AutoSummarizeDispatchTtl = "string",
AutoSummarizeMaxDisabledBuckets = 0,
AutoSummarizeMaxSummaryRatio = 0,
AutoSummarizeMaxSummarySize = 0,
AutoSummarizeMaxTime = 0,
AutoSummarizeSuspendPeriod = "string",
AutoSummarizeTimespan = "string",
CronSchedule = "string",
Description = "string",
Disabled = false,
DispatchBuckets = 0,
DispatchEarliestTime = "string",
DispatchIndexEarliest = "string",
DispatchIndexLatest = "string",
DispatchIndexedRealtime = false,
DispatchIndexedRealtimeMinspan = 0,
DispatchIndexedRealtimeOffset = 0,
DispatchLatestTime = "string",
DispatchLookups = false,
DispatchMaxCount = 0,
DispatchMaxTime = 0,
DispatchReduceFreq = 0,
DispatchRtBackfill = false,
DispatchRtMaximumSpan = 0,
DispatchSpawnProcess = false,
DispatchTimeFormat = "string",
DispatchTtl = "string",
DisplayView = "string",
IsScheduled = false,
IsVisible = false,
MaxConcurrent = 0,
Name = "string",
RealtimeSchedule = false,
RequestUiDispatchApp = "string",
RequestUiDispatchView = "string",
RestartOnSearchpeerAdd = false,
RunOnStartup = false,
SchedulePriority = "string",
ScheduleWindow = "string",
Vsid = "string",
WorkloadPool = "string",
});
example, err := splunk.NewSavedSearches(ctx, "savedSearchesResource", &splunk.SavedSearchesArgs{
Search: pulumi.String("string"),
Acl: &splunk.SavedSearchesAclArgs{
App: pulumi.String("string"),
CanChangePerms: pulumi.Bool(false),
CanShareApp: pulumi.Bool(false),
CanShareGlobal: pulumi.Bool(false),
CanShareUser: pulumi.Bool(false),
CanWrite: pulumi.Bool(false),
Owner: pulumi.String("string"),
Reads: pulumi.StringArray{
pulumi.String("string"),
},
Removable: pulumi.Bool(false),
Sharing: pulumi.String("string"),
Writes: pulumi.StringArray{
pulumi.String("string"),
},
},
ActionCreateXsoarIncident: pulumi.String("string"),
ActionCreateXsoarIncidentParamCustomFields: pulumi.String("string"),
ActionCreateXsoarIncidentParamDetails: pulumi.String("string"),
ActionCreateXsoarIncidentParamIncidentName: pulumi.String("string"),
ActionCreateXsoarIncidentParamOccurred: pulumi.String("string"),
ActionCreateXsoarIncidentParamSendAllServers: pulumi.String("string"),
ActionCreateXsoarIncidentParamServerUrl: pulumi.String("string"),
ActionCreateXsoarIncidentParamSeverity: pulumi.String("string"),
ActionCreateXsoarIncidentParamType: pulumi.String("string"),
ActionEmailAuthPassword: pulumi.String("string"),
ActionEmailAuthUsername: pulumi.String("string"),
ActionEmailBcc: pulumi.String("string"),
ActionEmailCc: pulumi.String("string"),
ActionEmailCommand: pulumi.String("string"),
ActionEmailFormat: pulumi.String("string"),
ActionEmailFrom: pulumi.String("string"),
ActionEmailHostname: pulumi.String("string"),
ActionEmailIncludeResultsLink: pulumi.Int(0),
ActionEmailIncludeSearch: pulumi.Int(0),
ActionEmailIncludeTrigger: pulumi.Int(0),
ActionEmailIncludeTriggerTime: pulumi.Int(0),
ActionEmailIncludeViewLink: pulumi.Int(0),
ActionEmailInline: pulumi.Bool(false),
ActionEmailMailserver: pulumi.String("string"),
ActionEmailMaxResults: pulumi.Int(0),
ActionEmailMaxTime: pulumi.String("string"),
ActionEmailMessageAlert: pulumi.String("string"),
ActionEmailMessageReport: pulumi.String("string"),
ActionEmailPdfview: pulumi.String("string"),
ActionEmailPreprocessResults: pulumi.String("string"),
ActionEmailReportCidFontList: pulumi.String("string"),
ActionEmailReportIncludeSplunkLogo: pulumi.Bool(false),
ActionEmailReportPaperOrientation: pulumi.String("string"),
ActionEmailReportPaperSize: pulumi.String("string"),
ActionEmailReportServerEnabled: pulumi.Bool(false),
ActionEmailReportServerUrl: pulumi.String("string"),
ActionEmailSendCsv: pulumi.Int(0),
ActionEmailSendPdf: pulumi.Bool(false),
ActionEmailSendResults: pulumi.Bool(false),
ActionEmailSubject: pulumi.String("string"),
ActionEmailTo: pulumi.String("string"),
ActionEmailTrackAlert: pulumi.Bool(false),
ActionEmailTtl: pulumi.String("string"),
ActionEmailUseSsl: pulumi.Bool(false),
ActionEmailUseTls: pulumi.Bool(false),
ActionEmailWidthSortColumns: pulumi.Bool(false),
ActionJiraServiceDeskParamAccount: pulumi.String("string"),
ActionJiraServiceDeskParamJiraCustomfields: pulumi.String("string"),
ActionJiraServiceDeskParamJiraDescription: pulumi.String("string"),
ActionJiraServiceDeskParamJiraIssueType: pulumi.String("string"),
ActionJiraServiceDeskParamJiraPriority: pulumi.String("string"),
ActionJiraServiceDeskParamJiraProject: pulumi.String("string"),
ActionJiraServiceDeskParamJiraSummary: pulumi.String("string"),
ActionPagerdutyCustomDetails: pulumi.String("string"),
ActionPagerdutyIntegrationKey: pulumi.String("string"),
ActionPagerdutyIntegrationKeyOverride: pulumi.String("string"),
ActionPagerdutyIntegrationUrl: pulumi.String("string"),
ActionPagerdutyIntegrationUrlOverride: pulumi.String("string"),
ActionPopulateLookupCommand: pulumi.String("string"),
ActionPopulateLookupDest: pulumi.String("string"),
ActionPopulateLookupHostname: pulumi.String("string"),
ActionPopulateLookupMaxResults: pulumi.Int(0),
ActionPopulateLookupMaxTime: pulumi.Int(0),
ActionPopulateLookupTrackAlert: pulumi.Bool(false),
ActionPopulateLookupTtl: pulumi.String("string"),
ActionRssCommand: pulumi.String("string"),
ActionRssHostname: pulumi.String("string"),
ActionRssMaxResults: pulumi.Int(0),
ActionRssMaxTime: pulumi.Int(0),
ActionRssTrackAlert: pulumi.Bool(false),
ActionRssTtl: pulumi.String("string"),
ActionScriptCommand: pulumi.String("string"),
ActionScriptFilename: pulumi.String("string"),
ActionScriptHostname: pulumi.String("string"),
ActionScriptMaxResults: pulumi.Int(0),
ActionScriptMaxTime: pulumi.Int(0),
ActionScriptTrackAlert: pulumi.Bool(false),
ActionScriptTtl: pulumi.String("string"),
ActionSlackParamAttachment: pulumi.String("string"),
ActionSlackParamChannel: pulumi.String("string"),
ActionSlackParamFields: pulumi.String("string"),
ActionSlackParamMessage: pulumi.String("string"),
ActionSlackParamWebhookUrlOverride: pulumi.String("string"),
ActionSnowEventParamAccount: pulumi.String("string"),
ActionSnowEventParamAdditionalInfo: pulumi.String("string"),
ActionSnowEventParamCiIdentifier: pulumi.String("string"),
ActionSnowEventParamCustomFields: pulumi.String("string"),
ActionSnowEventParamDescription: pulumi.String("string"),
ActionSnowEventParamNode: pulumi.String("string"),
ActionSnowEventParamResource: pulumi.String("string"),
ActionSnowEventParamSeverity: pulumi.Int(0),
ActionSnowEventParamType: pulumi.String("string"),
ActionSummaryIndexCommand: pulumi.String("string"),
ActionSummaryIndexHostname: pulumi.String("string"),
ActionSummaryIndexInline: pulumi.Bool(false),
ActionSummaryIndexMaxResults: pulumi.Int(0),
ActionSummaryIndexMaxTime: pulumi.Int(0),
ActionSummaryIndexName: pulumi.String("string"),
ActionSummaryIndexTrackAlert: pulumi.Bool(false),
ActionSummaryIndexTtl: pulumi.String("string"),
ActionWebhookParamUrl: pulumi.String("string"),
Actions: pulumi.String("string"),
AlertComparator: pulumi.String("string"),
AlertCondition: pulumi.String("string"),
AlertDigestMode: pulumi.Bool(false),
AlertExpires: pulumi.String("string"),
AlertSeverity: pulumi.Int(0),
AlertSuppress: pulumi.Bool(false),
AlertSuppressFields: pulumi.String("string"),
AlertSuppressPeriod: pulumi.String("string"),
AlertThreshold: pulumi.String("string"),
AlertTrack: pulumi.Bool(false),
AlertType: pulumi.String("string"),
AllowSkew: pulumi.String("string"),
AutoSummarize: pulumi.Bool(false),
AutoSummarizeCommand: pulumi.String("string"),
AutoSummarizeCronSchedule: pulumi.String("string"),
AutoSummarizeDispatchEarliestTime: pulumi.String("string"),
AutoSummarizeDispatchLatestTime: pulumi.String("string"),
AutoSummarizeDispatchTimeFormat: pulumi.String("string"),
AutoSummarizeDispatchTtl: pulumi.String("string"),
AutoSummarizeMaxDisabledBuckets: pulumi.Int(0),
AutoSummarizeMaxSummaryRatio: pulumi.Float64(0),
AutoSummarizeMaxSummarySize: pulumi.Int(0),
AutoSummarizeMaxTime: pulumi.Int(0),
AutoSummarizeSuspendPeriod: pulumi.String("string"),
AutoSummarizeTimespan: pulumi.String("string"),
CronSchedule: pulumi.String("string"),
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
DispatchBuckets: pulumi.Int(0),
DispatchEarliestTime: pulumi.String("string"),
DispatchIndexEarliest: pulumi.String("string"),
DispatchIndexLatest: pulumi.String("string"),
DispatchIndexedRealtime: pulumi.Bool(false),
DispatchIndexedRealtimeMinspan: pulumi.Int(0),
DispatchIndexedRealtimeOffset: pulumi.Int(0),
DispatchLatestTime: pulumi.String("string"),
DispatchLookups: pulumi.Bool(false),
DispatchMaxCount: pulumi.Int(0),
DispatchMaxTime: pulumi.Int(0),
DispatchReduceFreq: pulumi.Int(0),
DispatchRtBackfill: pulumi.Bool(false),
DispatchRtMaximumSpan: pulumi.Int(0),
DispatchSpawnProcess: pulumi.Bool(false),
DispatchTimeFormat: pulumi.String("string"),
DispatchTtl: pulumi.String("string"),
DisplayView: pulumi.String("string"),
IsScheduled: pulumi.Bool(false),
IsVisible: pulumi.Bool(false),
MaxConcurrent: pulumi.Int(0),
Name: pulumi.String("string"),
RealtimeSchedule: pulumi.Bool(false),
RequestUiDispatchApp: pulumi.String("string"),
RequestUiDispatchView: pulumi.String("string"),
RestartOnSearchpeerAdd: pulumi.Bool(false),
RunOnStartup: pulumi.Bool(false),
SchedulePriority: pulumi.String("string"),
ScheduleWindow: pulumi.String("string"),
Vsid: pulumi.String("string"),
WorkloadPool: pulumi.String("string"),
})
var savedSearchesResource = new SavedSearches("savedSearchesResource", SavedSearchesArgs.builder()
.search("string")
.acl(SavedSearchesAclArgs.builder()
.app("string")
.canChangePerms(false)
.canShareApp(false)
.canShareGlobal(false)
.canShareUser(false)
.canWrite(false)
.owner("string")
.reads("string")
.removable(false)
.sharing("string")
.writes("string")
.build())
.actionCreateXsoarIncident("string")
.actionCreateXsoarIncidentParamCustomFields("string")
.actionCreateXsoarIncidentParamDetails("string")
.actionCreateXsoarIncidentParamIncidentName("string")
.actionCreateXsoarIncidentParamOccurred("string")
.actionCreateXsoarIncidentParamSendAllServers("string")
.actionCreateXsoarIncidentParamServerUrl("string")
.actionCreateXsoarIncidentParamSeverity("string")
.actionCreateXsoarIncidentParamType("string")
.actionEmailAuthPassword("string")
.actionEmailAuthUsername("string")
.actionEmailBcc("string")
.actionEmailCc("string")
.actionEmailCommand("string")
.actionEmailFormat("string")
.actionEmailFrom("string")
.actionEmailHostname("string")
.actionEmailIncludeResultsLink(0)
.actionEmailIncludeSearch(0)
.actionEmailIncludeTrigger(0)
.actionEmailIncludeTriggerTime(0)
.actionEmailIncludeViewLink(0)
.actionEmailInline(false)
.actionEmailMailserver("string")
.actionEmailMaxResults(0)
.actionEmailMaxTime("string")
.actionEmailMessageAlert("string")
.actionEmailMessageReport("string")
.actionEmailPdfview("string")
.actionEmailPreprocessResults("string")
.actionEmailReportCidFontList("string")
.actionEmailReportIncludeSplunkLogo(false)
.actionEmailReportPaperOrientation("string")
.actionEmailReportPaperSize("string")
.actionEmailReportServerEnabled(false)
.actionEmailReportServerUrl("string")
.actionEmailSendCsv(0)
.actionEmailSendPdf(false)
.actionEmailSendResults(false)
.actionEmailSubject("string")
.actionEmailTo("string")
.actionEmailTrackAlert(false)
.actionEmailTtl("string")
.actionEmailUseSsl(false)
.actionEmailUseTls(false)
.actionEmailWidthSortColumns(false)
.actionJiraServiceDeskParamAccount("string")
.actionJiraServiceDeskParamJiraCustomfields("string")
.actionJiraServiceDeskParamJiraDescription("string")
.actionJiraServiceDeskParamJiraIssueType("string")
.actionJiraServiceDeskParamJiraPriority("string")
.actionJiraServiceDeskParamJiraProject("string")
.actionJiraServiceDeskParamJiraSummary("string")
.actionPagerdutyCustomDetails("string")
.actionPagerdutyIntegrationKey("string")
.actionPagerdutyIntegrationKeyOverride("string")
.actionPagerdutyIntegrationUrl("string")
.actionPagerdutyIntegrationUrlOverride("string")
.actionPopulateLookupCommand("string")
.actionPopulateLookupDest("string")
.actionPopulateLookupHostname("string")
.actionPopulateLookupMaxResults(0)
.actionPopulateLookupMaxTime(0)
.actionPopulateLookupTrackAlert(false)
.actionPopulateLookupTtl("string")
.actionRssCommand("string")
.actionRssHostname("string")
.actionRssMaxResults(0)
.actionRssMaxTime(0)
.actionRssTrackAlert(false)
.actionRssTtl("string")
.actionScriptCommand("string")
.actionScriptFilename("string")
.actionScriptHostname("string")
.actionScriptMaxResults(0)
.actionScriptMaxTime(0)
.actionScriptTrackAlert(false)
.actionScriptTtl("string")
.actionSlackParamAttachment("string")
.actionSlackParamChannel("string")
.actionSlackParamFields("string")
.actionSlackParamMessage("string")
.actionSlackParamWebhookUrlOverride("string")
.actionSnowEventParamAccount("string")
.actionSnowEventParamAdditionalInfo("string")
.actionSnowEventParamCiIdentifier("string")
.actionSnowEventParamCustomFields("string")
.actionSnowEventParamDescription("string")
.actionSnowEventParamNode("string")
.actionSnowEventParamResource("string")
.actionSnowEventParamSeverity(0)
.actionSnowEventParamType("string")
.actionSummaryIndexCommand("string")
.actionSummaryIndexHostname("string")
.actionSummaryIndexInline(false)
.actionSummaryIndexMaxResults(0)
.actionSummaryIndexMaxTime(0)
.actionSummaryIndexName("string")
.actionSummaryIndexTrackAlert(false)
.actionSummaryIndexTtl("string")
.actionWebhookParamUrl("string")
.actions("string")
.alertComparator("string")
.alertCondition("string")
.alertDigestMode(false)
.alertExpires("string")
.alertSeverity(0)
.alertSuppress(false)
.alertSuppressFields("string")
.alertSuppressPeriod("string")
.alertThreshold("string")
.alertTrack(false)
.alertType("string")
.allowSkew("string")
.autoSummarize(false)
.autoSummarizeCommand("string")
.autoSummarizeCronSchedule("string")
.autoSummarizeDispatchEarliestTime("string")
.autoSummarizeDispatchLatestTime("string")
.autoSummarizeDispatchTimeFormat("string")
.autoSummarizeDispatchTtl("string")
.autoSummarizeMaxDisabledBuckets(0)
.autoSummarizeMaxSummaryRatio(0)
.autoSummarizeMaxSummarySize(0)
.autoSummarizeMaxTime(0)
.autoSummarizeSuspendPeriod("string")
.autoSummarizeTimespan("string")
.cronSchedule("string")
.description("string")
.disabled(false)
.dispatchBuckets(0)
.dispatchEarliestTime("string")
.dispatchIndexEarliest("string")
.dispatchIndexLatest("string")
.dispatchIndexedRealtime(false)
.dispatchIndexedRealtimeMinspan(0)
.dispatchIndexedRealtimeOffset(0)
.dispatchLatestTime("string")
.dispatchLookups(false)
.dispatchMaxCount(0)
.dispatchMaxTime(0)
.dispatchReduceFreq(0)
.dispatchRtBackfill(false)
.dispatchRtMaximumSpan(0)
.dispatchSpawnProcess(false)
.dispatchTimeFormat("string")
.dispatchTtl("string")
.displayView("string")
.isScheduled(false)
.isVisible(false)
.maxConcurrent(0)
.name("string")
.realtimeSchedule(false)
.requestUiDispatchApp("string")
.requestUiDispatchView("string")
.restartOnSearchpeerAdd(false)
.runOnStartup(false)
.schedulePriority("string")
.scheduleWindow("string")
.vsid("string")
.workloadPool("string")
.build());
saved_searches_resource = splunk.SavedSearches("savedSearchesResource",
search="string",
acl=splunk.SavedSearchesAclArgs(
app="string",
can_change_perms=False,
can_share_app=False,
can_share_global=False,
can_share_user=False,
can_write=False,
owner="string",
reads=["string"],
removable=False,
sharing="string",
writes=["string"],
),
action_create_xsoar_incident="string",
action_create_xsoar_incident_param_custom_fields="string",
action_create_xsoar_incident_param_details="string",
action_create_xsoar_incident_param_incident_name="string",
action_create_xsoar_incident_param_occurred="string",
action_create_xsoar_incident_param_send_all_servers="string",
action_create_xsoar_incident_param_server_url="string",
action_create_xsoar_incident_param_severity="string",
action_create_xsoar_incident_param_type="string",
action_email_auth_password="string",
action_email_auth_username="string",
action_email_bcc="string",
action_email_cc="string",
action_email_command="string",
action_email_format="string",
action_email_from="string",
action_email_hostname="string",
action_email_include_results_link=0,
action_email_include_search=0,
action_email_include_trigger=0,
action_email_include_trigger_time=0,
action_email_include_view_link=0,
action_email_inline=False,
action_email_mailserver="string",
action_email_max_results=0,
action_email_max_time="string",
action_email_message_alert="string",
action_email_message_report="string",
action_email_pdfview="string",
action_email_preprocess_results="string",
action_email_report_cid_font_list="string",
action_email_report_include_splunk_logo=False,
action_email_report_paper_orientation="string",
action_email_report_paper_size="string",
action_email_report_server_enabled=False,
action_email_report_server_url="string",
action_email_send_csv=0,
action_email_send_pdf=False,
action_email_send_results=False,
action_email_subject="string",
action_email_to="string",
action_email_track_alert=False,
action_email_ttl="string",
action_email_use_ssl=False,
action_email_use_tls=False,
action_email_width_sort_columns=False,
action_jira_service_desk_param_account="string",
action_jira_service_desk_param_jira_customfields="string",
action_jira_service_desk_param_jira_description="string",
action_jira_service_desk_param_jira_issue_type="string",
action_jira_service_desk_param_jira_priority="string",
action_jira_service_desk_param_jira_project="string",
action_jira_service_desk_param_jira_summary="string",
action_pagerduty_custom_details="string",
action_pagerduty_integration_key="string",
action_pagerduty_integration_key_override="string",
action_pagerduty_integration_url="string",
action_pagerduty_integration_url_override="string",
action_populate_lookup_command="string",
action_populate_lookup_dest="string",
action_populate_lookup_hostname="string",
action_populate_lookup_max_results=0,
action_populate_lookup_max_time=0,
action_populate_lookup_track_alert=False,
action_populate_lookup_ttl="string",
action_rss_command="string",
action_rss_hostname="string",
action_rss_max_results=0,
action_rss_max_time=0,
action_rss_track_alert=False,
action_rss_ttl="string",
action_script_command="string",
action_script_filename="string",
action_script_hostname="string",
action_script_max_results=0,
action_script_max_time=0,
action_script_track_alert=False,
action_script_ttl="string",
action_slack_param_attachment="string",
action_slack_param_channel="string",
action_slack_param_fields="string",
action_slack_param_message="string",
action_slack_param_webhook_url_override="string",
action_snow_event_param_account="string",
action_snow_event_param_additional_info="string",
action_snow_event_param_ci_identifier="string",
action_snow_event_param_custom_fields="string",
action_snow_event_param_description="string",
action_snow_event_param_node="string",
action_snow_event_param_resource="string",
action_snow_event_param_severity=0,
action_snow_event_param_type="string",
action_summary_index_command="string",
action_summary_index_hostname="string",
action_summary_index_inline=False,
action_summary_index_max_results=0,
action_summary_index_max_time=0,
action_summary_index_name="string",
action_summary_index_track_alert=False,
action_summary_index_ttl="string",
action_webhook_param_url="string",
actions="string",
alert_comparator="string",
alert_condition="string",
alert_digest_mode=False,
alert_expires="string",
alert_severity=0,
alert_suppress=False,
alert_suppress_fields="string",
alert_suppress_period="string",
alert_threshold="string",
alert_track=False,
alert_type="string",
allow_skew="string",
auto_summarize=False,
auto_summarize_command="string",
auto_summarize_cron_schedule="string",
auto_summarize_dispatch_earliest_time="string",
auto_summarize_dispatch_latest_time="string",
auto_summarize_dispatch_time_format="string",
auto_summarize_dispatch_ttl="string",
auto_summarize_max_disabled_buckets=0,
auto_summarize_max_summary_ratio=0,
auto_summarize_max_summary_size=0,
auto_summarize_max_time=0,
auto_summarize_suspend_period="string",
auto_summarize_timespan="string",
cron_schedule="string",
description="string",
disabled=False,
dispatch_buckets=0,
dispatch_earliest_time="string",
dispatch_index_earliest="string",
dispatch_index_latest="string",
dispatch_indexed_realtime=False,
dispatch_indexed_realtime_minspan=0,
dispatch_indexed_realtime_offset=0,
dispatch_latest_time="string",
dispatch_lookups=False,
dispatch_max_count=0,
dispatch_max_time=0,
dispatch_reduce_freq=0,
dispatch_rt_backfill=False,
dispatch_rt_maximum_span=0,
dispatch_spawn_process=False,
dispatch_time_format="string",
dispatch_ttl="string",
display_view="string",
is_scheduled=False,
is_visible=False,
max_concurrent=0,
name="string",
realtime_schedule=False,
request_ui_dispatch_app="string",
request_ui_dispatch_view="string",
restart_on_searchpeer_add=False,
run_on_startup=False,
schedule_priority="string",
schedule_window="string",
vsid="string",
workload_pool="string")
const savedSearchesResource = new splunk.SavedSearches("savedSearchesResource", {
search: "string",
acl: {
app: "string",
canChangePerms: false,
canShareApp: false,
canShareGlobal: false,
canShareUser: false,
canWrite: false,
owner: "string",
reads: ["string"],
removable: false,
sharing: "string",
writes: ["string"],
},
actionCreateXsoarIncident: "string",
actionCreateXsoarIncidentParamCustomFields: "string",
actionCreateXsoarIncidentParamDetails: "string",
actionCreateXsoarIncidentParamIncidentName: "string",
actionCreateXsoarIncidentParamOccurred: "string",
actionCreateXsoarIncidentParamSendAllServers: "string",
actionCreateXsoarIncidentParamServerUrl: "string",
actionCreateXsoarIncidentParamSeverity: "string",
actionCreateXsoarIncidentParamType: "string",
actionEmailAuthPassword: "string",
actionEmailAuthUsername: "string",
actionEmailBcc: "string",
actionEmailCc: "string",
actionEmailCommand: "string",
actionEmailFormat: "string",
actionEmailFrom: "string",
actionEmailHostname: "string",
actionEmailIncludeResultsLink: 0,
actionEmailIncludeSearch: 0,
actionEmailIncludeTrigger: 0,
actionEmailIncludeTriggerTime: 0,
actionEmailIncludeViewLink: 0,
actionEmailInline: false,
actionEmailMailserver: "string",
actionEmailMaxResults: 0,
actionEmailMaxTime: "string",
actionEmailMessageAlert: "string",
actionEmailMessageReport: "string",
actionEmailPdfview: "string",
actionEmailPreprocessResults: "string",
actionEmailReportCidFontList: "string",
actionEmailReportIncludeSplunkLogo: false,
actionEmailReportPaperOrientation: "string",
actionEmailReportPaperSize: "string",
actionEmailReportServerEnabled: false,
actionEmailReportServerUrl: "string",
actionEmailSendCsv: 0,
actionEmailSendPdf: false,
actionEmailSendResults: false,
actionEmailSubject: "string",
actionEmailTo: "string",
actionEmailTrackAlert: false,
actionEmailTtl: "string",
actionEmailUseSsl: false,
actionEmailUseTls: false,
actionEmailWidthSortColumns: false,
actionJiraServiceDeskParamAccount: "string",
actionJiraServiceDeskParamJiraCustomfields: "string",
actionJiraServiceDeskParamJiraDescription: "string",
actionJiraServiceDeskParamJiraIssueType: "string",
actionJiraServiceDeskParamJiraPriority: "string",
actionJiraServiceDeskParamJiraProject: "string",
actionJiraServiceDeskParamJiraSummary: "string",
actionPagerdutyCustomDetails: "string",
actionPagerdutyIntegrationKey: "string",
actionPagerdutyIntegrationKeyOverride: "string",
actionPagerdutyIntegrationUrl: "string",
actionPagerdutyIntegrationUrlOverride: "string",
actionPopulateLookupCommand: "string",
actionPopulateLookupDest: "string",
actionPopulateLookupHostname: "string",
actionPopulateLookupMaxResults: 0,
actionPopulateLookupMaxTime: 0,
actionPopulateLookupTrackAlert: false,
actionPopulateLookupTtl: "string",
actionRssCommand: "string",
actionRssHostname: "string",
actionRssMaxResults: 0,
actionRssMaxTime: 0,
actionRssTrackAlert: false,
actionRssTtl: "string",
actionScriptCommand: "string",
actionScriptFilename: "string",
actionScriptHostname: "string",
actionScriptMaxResults: 0,
actionScriptMaxTime: 0,
actionScriptTrackAlert: false,
actionScriptTtl: "string",
actionSlackParamAttachment: "string",
actionSlackParamChannel: "string",
actionSlackParamFields: "string",
actionSlackParamMessage: "string",
actionSlackParamWebhookUrlOverride: "string",
actionSnowEventParamAccount: "string",
actionSnowEventParamAdditionalInfo: "string",
actionSnowEventParamCiIdentifier: "string",
actionSnowEventParamCustomFields: "string",
actionSnowEventParamDescription: "string",
actionSnowEventParamNode: "string",
actionSnowEventParamResource: "string",
actionSnowEventParamSeverity: 0,
actionSnowEventParamType: "string",
actionSummaryIndexCommand: "string",
actionSummaryIndexHostname: "string",
actionSummaryIndexInline: false,
actionSummaryIndexMaxResults: 0,
actionSummaryIndexMaxTime: 0,
actionSummaryIndexName: "string",
actionSummaryIndexTrackAlert: false,
actionSummaryIndexTtl: "string",
actionWebhookParamUrl: "string",
actions: "string",
alertComparator: "string",
alertCondition: "string",
alertDigestMode: false,
alertExpires: "string",
alertSeverity: 0,
alertSuppress: false,
alertSuppressFields: "string",
alertSuppressPeriod: "string",
alertThreshold: "string",
alertTrack: false,
alertType: "string",
allowSkew: "string",
autoSummarize: false,
autoSummarizeCommand: "string",
autoSummarizeCronSchedule: "string",
autoSummarizeDispatchEarliestTime: "string",
autoSummarizeDispatchLatestTime: "string",
autoSummarizeDispatchTimeFormat: "string",
autoSummarizeDispatchTtl: "string",
autoSummarizeMaxDisabledBuckets: 0,
autoSummarizeMaxSummaryRatio: 0,
autoSummarizeMaxSummarySize: 0,
autoSummarizeMaxTime: 0,
autoSummarizeSuspendPeriod: "string",
autoSummarizeTimespan: "string",
cronSchedule: "string",
description: "string",
disabled: false,
dispatchBuckets: 0,
dispatchEarliestTime: "string",
dispatchIndexEarliest: "string",
dispatchIndexLatest: "string",
dispatchIndexedRealtime: false,
dispatchIndexedRealtimeMinspan: 0,
dispatchIndexedRealtimeOffset: 0,
dispatchLatestTime: "string",
dispatchLookups: false,
dispatchMaxCount: 0,
dispatchMaxTime: 0,
dispatchReduceFreq: 0,
dispatchRtBackfill: false,
dispatchRtMaximumSpan: 0,
dispatchSpawnProcess: false,
dispatchTimeFormat: "string",
dispatchTtl: "string",
displayView: "string",
isScheduled: false,
isVisible: false,
maxConcurrent: 0,
name: "string",
realtimeSchedule: false,
requestUiDispatchApp: "string",
requestUiDispatchView: "string",
restartOnSearchpeerAdd: false,
runOnStartup: false,
schedulePriority: "string",
scheduleWindow: "string",
vsid: "string",
workloadPool: "string",
});
type: splunk:SavedSearches
properties:
acl:
app: string
canChangePerms: false
canShareApp: false
canShareGlobal: false
canShareUser: false
canWrite: false
owner: string
reads:
- string
removable: false
sharing: string
writes:
- string
actionCreateXsoarIncident: string
actionCreateXsoarIncidentParamCustomFields: string
actionCreateXsoarIncidentParamDetails: string
actionCreateXsoarIncidentParamIncidentName: string
actionCreateXsoarIncidentParamOccurred: string
actionCreateXsoarIncidentParamSendAllServers: string
actionCreateXsoarIncidentParamServerUrl: string
actionCreateXsoarIncidentParamSeverity: string
actionCreateXsoarIncidentParamType: string
actionEmailAuthPassword: string
actionEmailAuthUsername: string
actionEmailBcc: string
actionEmailCc: string
actionEmailCommand: string
actionEmailFormat: string
actionEmailFrom: string
actionEmailHostname: string
actionEmailIncludeResultsLink: 0
actionEmailIncludeSearch: 0
actionEmailIncludeTrigger: 0
actionEmailIncludeTriggerTime: 0
actionEmailIncludeViewLink: 0
actionEmailInline: false
actionEmailMailserver: string
actionEmailMaxResults: 0
actionEmailMaxTime: string
actionEmailMessageAlert: string
actionEmailMessageReport: string
actionEmailPdfview: string
actionEmailPreprocessResults: string
actionEmailReportCidFontList: string
actionEmailReportIncludeSplunkLogo: false
actionEmailReportPaperOrientation: string
actionEmailReportPaperSize: string
actionEmailReportServerEnabled: false
actionEmailReportServerUrl: string
actionEmailSendCsv: 0
actionEmailSendPdf: false
actionEmailSendResults: false
actionEmailSubject: string
actionEmailTo: string
actionEmailTrackAlert: false
actionEmailTtl: string
actionEmailUseSsl: false
actionEmailUseTls: false
actionEmailWidthSortColumns: false
actionJiraServiceDeskParamAccount: string
actionJiraServiceDeskParamJiraCustomfields: string
actionJiraServiceDeskParamJiraDescription: string
actionJiraServiceDeskParamJiraIssueType: string
actionJiraServiceDeskParamJiraPriority: string
actionJiraServiceDeskParamJiraProject: string
actionJiraServiceDeskParamJiraSummary: string
actionPagerdutyCustomDetails: string
actionPagerdutyIntegrationKey: string
actionPagerdutyIntegrationKeyOverride: string
actionPagerdutyIntegrationUrl: string
actionPagerdutyIntegrationUrlOverride: string
actionPopulateLookupCommand: string
actionPopulateLookupDest: string
actionPopulateLookupHostname: string
actionPopulateLookupMaxResults: 0
actionPopulateLookupMaxTime: 0
actionPopulateLookupTrackAlert: false
actionPopulateLookupTtl: string
actionRssCommand: string
actionRssHostname: string
actionRssMaxResults: 0
actionRssMaxTime: 0
actionRssTrackAlert: false
actionRssTtl: string
actionScriptCommand: string
actionScriptFilename: string
actionScriptHostname: string
actionScriptMaxResults: 0
actionScriptMaxTime: 0
actionScriptTrackAlert: false
actionScriptTtl: string
actionSlackParamAttachment: string
actionSlackParamChannel: string
actionSlackParamFields: string
actionSlackParamMessage: string
actionSlackParamWebhookUrlOverride: string
actionSnowEventParamAccount: string
actionSnowEventParamAdditionalInfo: string
actionSnowEventParamCiIdentifier: string
actionSnowEventParamCustomFields: string
actionSnowEventParamDescription: string
actionSnowEventParamNode: string
actionSnowEventParamResource: string
actionSnowEventParamSeverity: 0
actionSnowEventParamType: string
actionSummaryIndexCommand: string
actionSummaryIndexHostname: string
actionSummaryIndexInline: false
actionSummaryIndexMaxResults: 0
actionSummaryIndexMaxTime: 0
actionSummaryIndexName: string
actionSummaryIndexTrackAlert: false
actionSummaryIndexTtl: string
actionWebhookParamUrl: string
actions: string
alertComparator: string
alertCondition: string
alertDigestMode: false
alertExpires: string
alertSeverity: 0
alertSuppress: false
alertSuppressFields: string
alertSuppressPeriod: string
alertThreshold: string
alertTrack: false
alertType: string
allowSkew: string
autoSummarize: false
autoSummarizeCommand: string
autoSummarizeCronSchedule: string
autoSummarizeDispatchEarliestTime: string
autoSummarizeDispatchLatestTime: string
autoSummarizeDispatchTimeFormat: string
autoSummarizeDispatchTtl: string
autoSummarizeMaxDisabledBuckets: 0
autoSummarizeMaxSummaryRatio: 0
autoSummarizeMaxSummarySize: 0
autoSummarizeMaxTime: 0
autoSummarizeSuspendPeriod: string
autoSummarizeTimespan: string
cronSchedule: string
description: string
disabled: false
dispatchBuckets: 0
dispatchEarliestTime: string
dispatchIndexEarliest: string
dispatchIndexLatest: string
dispatchIndexedRealtime: false
dispatchIndexedRealtimeMinspan: 0
dispatchIndexedRealtimeOffset: 0
dispatchLatestTime: string
dispatchLookups: false
dispatchMaxCount: 0
dispatchMaxTime: 0
dispatchReduceFreq: 0
dispatchRtBackfill: false
dispatchRtMaximumSpan: 0
dispatchSpawnProcess: false
dispatchTimeFormat: string
dispatchTtl: string
displayView: string
isScheduled: false
isVisible: false
maxConcurrent: 0
name: string
realtimeSchedule: false
requestUiDispatchApp: string
requestUiDispatchView: string
restartOnSearchpeerAdd: false
runOnStartup: false
schedulePriority: string
scheduleWindow: string
search: string
vsid: string
workloadPool: string
SavedSearches Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SavedSearches resource accepts the following input properties:
- Search string
- Required when creating a new search.
- Acl
Saved
Searches Acl - The app/user context that is the namespace for the resource
- Action
Create stringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- Action
Create stringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- Action
Create stringXsoar Incident Param Details - XSOAR incident description
- Action
Create stringXsoar Incident Param Incident Name - XSOAR incident name
- Action
Create stringXsoar Incident Param Occurred - XSOAR incident time
- Action
Create stringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- Action
Create stringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- Action
Create stringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- Action
Create stringXsoar Incident Param Type - XSOAR incident type
- Action
Email stringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- Action
Email stringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- Action
Email stringBcc - BCC email address to use if action.email is enabled.
- Action
Email stringCc - CC email address to use if action.email is enabled.
- Action
Email stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Email stringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- Action
Email stringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- Action
Email stringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- Action
Email intInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- Action
Email intInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- Action
Email intInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- Action
Email intInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- Action
Email intInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- Action
Email boolInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- Action
Email stringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- Action
Email intMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- Action
Email stringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- Action
Email stringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- Action
Email stringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- Action
Email stringPdfview - The name of the view to deliver if sendpdf is enabled
- Action
Email stringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- Action
Email stringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- Action
Email boolReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- Action
Email stringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- Action
Email stringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- Action
Email boolReport Server Enabled - No Supported
- Action
Email stringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- Action
Email intSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- Action
Email boolSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- Action
Email boolSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- Action
Email stringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- Action
Email stringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- Action
Email boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Email stringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- Action
Email boolUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- Action
Email boolUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- Action
Email boolWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- Action
Jira stringService Desk Param Account - Jira Service Desk account name
- Action
Jira stringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- Action
Jira stringService Desk Param Jira Description - Jira issue description
- Action
Jira stringService Desk Param Jira Issue Type - Jira issue type name
- Action
Jira stringService Desk Param Jira Priority - Jira priority of issue
- Action
Jira stringService Desk Param Jira Project - Jira Project name
- Action
Jira stringService Desk Param Jira Summary - Jira issue title/summary
- Action
Pagerduty stringCustom Details - The PagerDuty custom details information.
- Action
Pagerduty stringIntegration Key - The PagerDuty integration Key.
- Action
Pagerduty stringIntegration Key Override - The PagerDuty integration Key override.
- Action
Pagerduty stringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Pagerduty stringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Populate stringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- Action
Populate stringLookup Dest - Lookup name of path of the lookup to populate
- Action
Populate stringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Populate intLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Populate intLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- Action
Populate boolLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Populate stringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- Action
Rss stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Rss stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Rss intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Rss intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Rss boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Rss stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Script stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Script stringFilename - File name of the script to call. Required if script action is enabled
- Action
Script stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Script intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Script intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Script boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Script stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Slack stringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- Action
Slack stringParam Channel - Slack channel to send the message to (Should start with # or @)
- Action
Slack stringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- Action
Slack stringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- Action
Slack stringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- Action
Snow stringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- Action
Snow stringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- Action
Snow stringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- Action
Snow stringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- Action
Snow stringEvent Param Description - A brief description of the event.
- Action
Snow stringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- Action
Snow stringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- Action
Snow intEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- Action
Snow stringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- Action
Summary stringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Summary stringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Summary boolIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- Action
Summary intIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Summary intIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Summary stringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- Action
Summary boolIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Summary stringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Webhook stringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- Actions string
- A comma-separated list of actions to enable. For example: rss,email
- Alert
Comparator string - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- Alert
Condition string - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- Alert
Digest boolMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- Alert
Expires string - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Severity int - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- Alert
Suppress bool - Indicates whether alert suppression is enabled for this scheduled search.
- Alert
Suppress stringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- Alert
Suppress stringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Threshold string - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- Alert
Track bool - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- Alert
Type string - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- Allow
Skew string - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- Auto
Summarize bool - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- Auto
Summarize stringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- Auto
Summarize stringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- Auto
Summarize stringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- Auto
Summarize stringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- Auto
Summarize intMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- Auto
Summarize doubleMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- Auto
Summarize intMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- Auto
Summarize intMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- Auto
Summarize stringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- Auto
Summarize stringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- Cron
Schedule string - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- Description string
- Human-readable description of this saved search. Defaults to empty string.
- Disabled bool
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- Dispatch
Buckets int - The maximum number of timeline buckets. Defaults to 0.
- Dispatch
Earliest stringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed boolRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed intRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Indexed intRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Latest stringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Lookups bool - Enables or disables the lookups for this search. Defaults to 1.
- Dispatch
Max intCount - The maximum number of results before finalizing the search. Defaults to 500000.
- Dispatch
Max intTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- Dispatch
Reduce intFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- Dispatch
Rt boolBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- Dispatch
Rt intMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- Dispatch
Spawn boolProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- Dispatch
Time stringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- Dispatch
Ttl string - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- Display
View string - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- Is
Scheduled bool - Whether this search is to be run on a schedule
- Is
Visible bool - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- Max
Concurrent int - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- Name string
- A name for the search.
- Realtime
Schedule bool - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- Request
Ui stringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- Request
Ui stringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- Restart
On boolSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- Run
On boolStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- Schedule
Priority string - Raises the scheduling priority of the named search. Defaults to Default
- Schedule
Window string - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- Vsid string
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- Workload
Pool string - Specifies the new workload pool where the existing running search will be placed.`
- Search string
- Required when creating a new search.
- Acl
Saved
Searches Acl Args - The app/user context that is the namespace for the resource
- Action
Create stringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- Action
Create stringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- Action
Create stringXsoar Incident Param Details - XSOAR incident description
- Action
Create stringXsoar Incident Param Incident Name - XSOAR incident name
- Action
Create stringXsoar Incident Param Occurred - XSOAR incident time
- Action
Create stringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- Action
Create stringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- Action
Create stringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- Action
Create stringXsoar Incident Param Type - XSOAR incident type
- Action
Email stringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- Action
Email stringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- Action
Email stringBcc - BCC email address to use if action.email is enabled.
- Action
Email stringCc - CC email address to use if action.email is enabled.
- Action
Email stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Email stringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- Action
Email stringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- Action
Email stringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- Action
Email intInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- Action
Email intInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- Action
Email intInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- Action
Email intInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- Action
Email intInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- Action
Email boolInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- Action
Email stringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- Action
Email intMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- Action
Email stringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- Action
Email stringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- Action
Email stringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- Action
Email stringPdfview - The name of the view to deliver if sendpdf is enabled
- Action
Email stringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- Action
Email stringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- Action
Email boolReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- Action
Email stringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- Action
Email stringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- Action
Email boolReport Server Enabled - No Supported
- Action
Email stringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- Action
Email intSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- Action
Email boolSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- Action
Email boolSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- Action
Email stringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- Action
Email stringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- Action
Email boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Email stringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- Action
Email boolUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- Action
Email boolUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- Action
Email boolWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- Action
Jira stringService Desk Param Account - Jira Service Desk account name
- Action
Jira stringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- Action
Jira stringService Desk Param Jira Description - Jira issue description
- Action
Jira stringService Desk Param Jira Issue Type - Jira issue type name
- Action
Jira stringService Desk Param Jira Priority - Jira priority of issue
- Action
Jira stringService Desk Param Jira Project - Jira Project name
- Action
Jira stringService Desk Param Jira Summary - Jira issue title/summary
- Action
Pagerduty stringCustom Details - The PagerDuty custom details information.
- Action
Pagerduty stringIntegration Key - The PagerDuty integration Key.
- Action
Pagerduty stringIntegration Key Override - The PagerDuty integration Key override.
- Action
Pagerduty stringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Pagerduty stringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Populate stringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- Action
Populate stringLookup Dest - Lookup name of path of the lookup to populate
- Action
Populate stringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Populate intLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Populate intLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- Action
Populate boolLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Populate stringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- Action
Rss stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Rss stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Rss intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Rss intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Rss boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Rss stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Script stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Script stringFilename - File name of the script to call. Required if script action is enabled
- Action
Script stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Script intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Script intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Script boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Script stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Slack stringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- Action
Slack stringParam Channel - Slack channel to send the message to (Should start with # or @)
- Action
Slack stringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- Action
Slack stringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- Action
Slack stringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- Action
Snow stringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- Action
Snow stringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- Action
Snow stringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- Action
Snow stringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- Action
Snow stringEvent Param Description - A brief description of the event.
- Action
Snow stringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- Action
Snow stringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- Action
Snow intEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- Action
Snow stringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- Action
Summary stringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Summary stringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Summary boolIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- Action
Summary intIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Summary intIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Summary stringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- Action
Summary boolIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Summary stringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Webhook stringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- Actions string
- A comma-separated list of actions to enable. For example: rss,email
- Alert
Comparator string - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- Alert
Condition string - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- Alert
Digest boolMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- Alert
Expires string - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Severity int - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- Alert
Suppress bool - Indicates whether alert suppression is enabled for this scheduled search.
- Alert
Suppress stringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- Alert
Suppress stringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Threshold string - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- Alert
Track bool - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- Alert
Type string - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- Allow
Skew string - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- Auto
Summarize bool - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- Auto
Summarize stringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- Auto
Summarize stringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- Auto
Summarize stringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- Auto
Summarize stringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- Auto
Summarize intMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- Auto
Summarize float64Max Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- Auto
Summarize intMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- Auto
Summarize intMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- Auto
Summarize stringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- Auto
Summarize stringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- Cron
Schedule string - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- Description string
- Human-readable description of this saved search. Defaults to empty string.
- Disabled bool
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- Dispatch
Buckets int - The maximum number of timeline buckets. Defaults to 0.
- Dispatch
Earliest stringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed boolRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed intRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Indexed intRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Latest stringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Lookups bool - Enables or disables the lookups for this search. Defaults to 1.
- Dispatch
Max intCount - The maximum number of results before finalizing the search. Defaults to 500000.
- Dispatch
Max intTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- Dispatch
Reduce intFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- Dispatch
Rt boolBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- Dispatch
Rt intMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- Dispatch
Spawn boolProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- Dispatch
Time stringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- Dispatch
Ttl string - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- Display
View string - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- Is
Scheduled bool - Whether this search is to be run on a schedule
- Is
Visible bool - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- Max
Concurrent int - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- Name string
- A name for the search.
- Realtime
Schedule bool - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- Request
Ui stringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- Request
Ui stringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- Restart
On boolSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- Run
On boolStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- Schedule
Priority string - Raises the scheduling priority of the named search. Defaults to Default
- Schedule
Window string - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- Vsid string
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- Workload
Pool string - Specifies the new workload pool where the existing running search will be placed.`
- search String
- Required when creating a new search.
- acl
Saved
Searches Acl - The app/user context that is the namespace for the resource
- action
Create StringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action
Create StringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- action
Create StringXsoar Incident Param Details - XSOAR incident description
- action
Create StringXsoar Incident Param Incident Name - XSOAR incident name
- action
Create StringXsoar Incident Param Occurred - XSOAR incident time
- action
Create StringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action
Create StringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- action
Create StringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action
Create StringXsoar Incident Param Type - XSOAR incident type
- action
Email StringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action
Email StringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action
Email StringBcc - BCC email address to use if action.email is enabled.
- action
Email StringCc - CC email address to use if action.email is enabled.
- action
Email StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Email StringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action
Email StringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action
Email StringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action
Email IntegerInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- action
Email IntegerInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action
Email IntegerInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action
Email IntegerInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action
Email IntegerInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action
Email BooleanInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action
Email StringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action
Email IntegerMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action
Email StringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action
Email StringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action
Email StringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action
Email StringPdfview - The name of the view to deliver if sendpdf is enabled
- action
Email StringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action
Email StringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action
Email BooleanReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- action
Email StringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action
Email StringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action
Email BooleanReport Server Enabled - No Supported
- action
Email StringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action
Email IntegerSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- action
Email BooleanSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action
Email BooleanSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action
Email StringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action
Email StringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action
Email BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Email StringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action
Email BooleanUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action
Email BooleanUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action
Email BooleanWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action
Jira StringService Desk Param Account - Jira Service Desk account name
- action
Jira StringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action
Jira StringService Desk Param Jira Description - Jira issue description
- action
Jira StringService Desk Param Jira Issue Type - Jira issue type name
- action
Jira StringService Desk Param Jira Priority - Jira priority of issue
- action
Jira StringService Desk Param Jira Project - Jira Project name
- action
Jira StringService Desk Param Jira Summary - Jira issue title/summary
- action
Pagerduty StringCustom Details - The PagerDuty custom details information.
- action
Pagerduty StringIntegration Key - The PagerDuty integration Key.
- action
Pagerduty StringIntegration Key Override - The PagerDuty integration Key override.
- action
Pagerduty StringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Pagerduty StringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Populate StringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- action
Populate StringLookup Dest - Lookup name of path of the lookup to populate
- action
Populate StringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Populate IntegerLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Populate IntegerLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action
Populate BooleanLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Populate StringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action
Rss StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Rss StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Rss IntegerMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Rss IntegerMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Rss BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Rss StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Script StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Script StringFilename - File name of the script to call. Required if script action is enabled
- action
Script StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Script IntegerMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Script IntegerMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Script BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Script StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Slack StringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- action
Slack StringParam Channel - Slack channel to send the message to (Should start with # or @)
- action
Slack StringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action
Slack StringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action
Slack StringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action
Snow StringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action
Snow StringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action
Snow StringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action
Snow StringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action
Snow StringEvent Param Description - A brief description of the event.
- action
Snow StringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action
Snow StringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action
Snow IntegerEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action
Snow StringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action
Summary StringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Summary StringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Summary BooleanIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action
Summary IntegerIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Summary IntegerIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Summary StringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action
Summary BooleanIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Summary StringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Webhook StringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions String
- A comma-separated list of actions to enable. For example: rss,email
- alert
Comparator String - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert
Condition String - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert
Digest BooleanMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert
Expires String - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Severity Integer - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert
Suppress Boolean - Indicates whether alert suppression is enabled for this scheduled search.
- alert
Suppress StringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert
Suppress StringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Threshold String - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert
Track Boolean - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert
Type String - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow
Skew String - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto
Summarize Boolean - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto
Summarize StringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto
Summarize StringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto
Summarize StringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto
Summarize StringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto
Summarize IntegerMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto
Summarize DoubleMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto
Summarize IntegerMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto
Summarize IntegerMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto
Summarize StringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto
Summarize StringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron
Schedule String - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description String
- Human-readable description of this saved search. Defaults to empty string.
- disabled Boolean
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch
Buckets Integer - The maximum number of timeline buckets. Defaults to 0.
- dispatch
Earliest StringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed BooleanRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed IntegerRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Indexed IntegerRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Latest StringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Lookups Boolean - Enables or disables the lookups for this search. Defaults to 1.
- dispatch
Max IntegerCount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch
Max IntegerTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch
Reduce IntegerFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch
Rt BooleanBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch
Rt IntegerMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch
Spawn BooleanProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch
Time StringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch
Ttl String - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display
View String - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is
Scheduled Boolean - Whether this search is to be run on a schedule
- is
Visible Boolean - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max
Concurrent Integer - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name String
- A name for the search.
- realtime
Schedule Boolean - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request
Ui StringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request
Ui StringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart
On BooleanSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run
On BooleanStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule
Priority String - Raises the scheduling priority of the named search. Defaults to Default
- schedule
Window String - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- vsid String
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload
Pool String - Specifies the new workload pool where the existing running search will be placed.`
- search string
- Required when creating a new search.
- acl
Saved
Searches Acl - The app/user context that is the namespace for the resource
- action
Create stringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action
Create stringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- action
Create stringXsoar Incident Param Details - XSOAR incident description
- action
Create stringXsoar Incident Param Incident Name - XSOAR incident name
- action
Create stringXsoar Incident Param Occurred - XSOAR incident time
- action
Create stringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action
Create stringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- action
Create stringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action
Create stringXsoar Incident Param Type - XSOAR incident type
- action
Email stringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action
Email stringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action
Email stringBcc - BCC email address to use if action.email is enabled.
- action
Email stringCc - CC email address to use if action.email is enabled.
- action
Email stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Email stringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action
Email stringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action
Email stringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action
Email numberInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- action
Email numberInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action
Email numberInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action
Email numberInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action
Email numberInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action
Email booleanInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action
Email stringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action
Email numberMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action
Email stringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action
Email stringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action
Email stringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action
Email stringPdfview - The name of the view to deliver if sendpdf is enabled
- action
Email stringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action
Email stringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action
Email booleanReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- action
Email stringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action
Email stringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action
Email booleanReport Server Enabled - No Supported
- action
Email stringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action
Email numberSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- action
Email booleanSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action
Email booleanSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action
Email stringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action
Email stringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action
Email booleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Email stringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action
Email booleanUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action
Email booleanUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action
Email booleanWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action
Jira stringService Desk Param Account - Jira Service Desk account name
- action
Jira stringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action
Jira stringService Desk Param Jira Description - Jira issue description
- action
Jira stringService Desk Param Jira Issue Type - Jira issue type name
- action
Jira stringService Desk Param Jira Priority - Jira priority of issue
- action
Jira stringService Desk Param Jira Project - Jira Project name
- action
Jira stringService Desk Param Jira Summary - Jira issue title/summary
- action
Pagerduty stringCustom Details - The PagerDuty custom details information.
- action
Pagerduty stringIntegration Key - The PagerDuty integration Key.
- action
Pagerduty stringIntegration Key Override - The PagerDuty integration Key override.
- action
Pagerduty stringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Pagerduty stringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Populate stringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- action
Populate stringLookup Dest - Lookup name of path of the lookup to populate
- action
Populate stringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Populate numberLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Populate numberLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action
Populate booleanLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Populate stringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action
Rss stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Rss stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Rss numberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Rss numberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Rss booleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Rss stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Script stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Script stringFilename - File name of the script to call. Required if script action is enabled
- action
Script stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Script numberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Script numberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Script booleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Script stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Slack stringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- action
Slack stringParam Channel - Slack channel to send the message to (Should start with # or @)
- action
Slack stringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action
Slack stringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action
Slack stringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action
Snow stringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action
Snow stringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action
Snow stringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action
Snow stringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action
Snow stringEvent Param Description - A brief description of the event.
- action
Snow stringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action
Snow stringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action
Snow numberEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action
Snow stringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action
Summary stringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Summary stringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Summary booleanIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action
Summary numberIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Summary numberIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Summary stringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action
Summary booleanIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Summary stringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Webhook stringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions string
- A comma-separated list of actions to enable. For example: rss,email
- alert
Comparator string - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert
Condition string - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert
Digest booleanMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert
Expires string - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Severity number - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert
Suppress boolean - Indicates whether alert suppression is enabled for this scheduled search.
- alert
Suppress stringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert
Suppress stringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Threshold string - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert
Track boolean - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert
Type string - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow
Skew string - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto
Summarize boolean - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto
Summarize stringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto
Summarize stringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto
Summarize stringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize stringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize stringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto
Summarize stringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto
Summarize numberMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto
Summarize numberMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto
Summarize numberMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto
Summarize numberMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto
Summarize stringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto
Summarize stringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron
Schedule string - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description string
- Human-readable description of this saved search. Defaults to empty string.
- disabled boolean
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch
Buckets number - The maximum number of timeline buckets. Defaults to 0.
- dispatch
Earliest stringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index stringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index stringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed booleanRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed numberRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Indexed numberRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Latest stringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Lookups boolean - Enables or disables the lookups for this search. Defaults to 1.
- dispatch
Max numberCount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch
Max numberTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch
Reduce numberFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch
Rt booleanBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch
Rt numberMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch
Spawn booleanProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch
Time stringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch
Ttl string - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display
View string - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is
Scheduled boolean - Whether this search is to be run on a schedule
- is
Visible boolean - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max
Concurrent number - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name string
- A name for the search.
- realtime
Schedule boolean - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request
Ui stringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request
Ui stringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart
On booleanSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run
On booleanStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule
Priority string - Raises the scheduling priority of the named search. Defaults to Default
- schedule
Window string - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- vsid string
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload
Pool string - Specifies the new workload pool where the existing running search will be placed.`
- search str
- Required when creating a new search.
- acl
Saved
Searches Acl Args - The app/user context that is the namespace for the resource
- action_
create_ strxsoar_ incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action_
create_ strxsoar_ incident_ param_ custom_ fields - XSOAR custom incident fields (should be a comma separated list)
- action_
create_ strxsoar_ incident_ param_ details - XSOAR incident description
- action_
create_ strxsoar_ incident_ param_ incident_ name - XSOAR incident name
- action_
create_ strxsoar_ incident_ param_ occurred - XSOAR incident time
- action_
create_ strxsoar_ incident_ param_ send_ all_ servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action_
create_ strxsoar_ incident_ param_ server_ url - XSOAR Server instance URL (Should start with https:// || http://)
- action_
create_ strxsoar_ incident_ param_ severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action_
create_ strxsoar_ incident_ param_ type - XSOAR incident type
- action_
email_ strauth_ password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action_
email_ strauth_ username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action_
email_ strbcc - BCC email address to use if action.email is enabled.
- action_
email_ strcc - CC email address to use if action.email is enabled.
- action_
email_ strcommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
email_ strformat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action_
email_ strfrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action_
email_ strhostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action_
email_ intinclude_ results_ link - Specify whether to include a link to the results. Defaults to 0.
- action_
email_ intinclude_ search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action_
email_ intinclude_ trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action_
email_ intinclude_ trigger_ time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action_
email_ intinclude_ view_ link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action_
email_ boolinline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action_
email_ strmailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action_
email_ intmax_ results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action_
email_ strmax_ time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action_
email_ strmessage_ alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action_
email_ strmessage_ report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action_
email_ strpdfview - The name of the view to deliver if sendpdf is enabled
- action_
email_ strpreprocess_ results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action_
email_ strreport_ cid_ font_ list - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action_
email_ boolreport_ include_ splunk_ logo - Indicates whether to include the Splunk logo with the report.
- action_
email_ strreport_ paper_ orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action_
email_ strreport_ paper_ size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action_
email_ boolreport_ server_ enabled - No Supported
- action_
email_ strreport_ server_ url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action_
email_ intsend_ csv - Specify whether to send results as a CSV file. Defaults to 0.
- action_
email_ boolsend_ pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action_
email_ boolsend_ results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action_
email_ strsubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action_
email_ strto - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action_
email_ booltrack_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
email_ strttl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action_
email_ booluse_ ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action_
email_ booluse_ tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action_
email_ boolwidth_ sort_ columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action_
jira_ strservice_ desk_ param_ account - Jira Service Desk account name
- action_
jira_ strservice_ desk_ param_ jira_ customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action_
jira_ strservice_ desk_ param_ jira_ description - Jira issue description
- action_
jira_ strservice_ desk_ param_ jira_ issue_ type - Jira issue type name
- action_
jira_ strservice_ desk_ param_ jira_ priority - Jira priority of issue
- action_
jira_ strservice_ desk_ param_ jira_ project - Jira Project name
- action_
jira_ strservice_ desk_ param_ jira_ summary - Jira issue title/summary
- action_
pagerduty_ strcustom_ details - The PagerDuty custom details information.
- action_
pagerduty_ strintegration_ key - The PagerDuty integration Key.
- action_
pagerduty_ strintegration_ key_ override - The PagerDuty integration Key override.
- action_
pagerduty_ strintegration_ url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action_
pagerduty_ strintegration_ url_ override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action_
populate_ strlookup_ command - The search command (or pipeline) which is responsible for executing the action.
- action_
populate_ strlookup_ dest - Lookup name of path of the lookup to populate
- action_
populate_ strlookup_ hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
populate_ intlookup_ max_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
populate_ intlookup_ max_ time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action_
populate_ boollookup_ track_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
populate_ strlookup_ ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action_
rss_ strcommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
rss_ strhostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
rss_ intmax_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
rss_ intmax_ time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action_
rss_ booltrack_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
rss_ strttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action_
script_ strcommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
script_ strfilename - File name of the script to call. Required if script action is enabled
- action_
script_ strhostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
script_ intmax_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
script_ intmax_ time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action_
script_ booltrack_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
script_ strttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action_
slack_ strparam_ attachment - Include a message attachment. Valid values are message, none, or alert_link
- action_
slack_ strparam_ channel - Slack channel to send the message to (Should start with # or @)
- action_
slack_ strparam_ fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action_
slack_ strparam_ message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action_
slack_ strparam_ webhook_ url_ override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action_
snow_ strevent_ param_ account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action_
snow_ strevent_ param_ additional_ info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action_
snow_ strevent_ param_ ci_ identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action_
snow_ strevent_ param_ custom_ fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action_
snow_ strevent_ param_ description - A brief description of the event.
- action_
snow_ strevent_ param_ node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action_
snow_ strevent_ param_ resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action_
snow_ intevent_ param_ severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action_
snow_ strevent_ param_ type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action_
summary_ strindex_ command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
summary_ strindex_ hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
summary_ boolindex_ inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action_
summary_ intindex_ max_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
summary_ intindex_ max_ time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action_
summary_ strindex_ name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action_
summary_ boolindex_ track_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
summary_ strindex_ ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action_
webhook_ strparam_ url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions str
- A comma-separated list of actions to enable. For example: rss,email
- alert_
comparator str - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert_
condition str - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert_
digest_ boolmode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert_
expires str - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert_
severity int - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert_
suppress bool - Indicates whether alert suppression is enabled for this scheduled search.
- alert_
suppress_ strfields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert_
suppress_ strperiod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert_
threshold str - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert_
track bool - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert_
type str - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow_
skew str - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto_
summarize bool - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto_
summarize_ strcommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto_
summarize_ strcron_ schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto_
summarize_ strdispatch_ earliest_ time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto_
summarize_ strdispatch_ latest_ time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto_
summarize_ strdispatch_ time_ format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto_
summarize_ strdispatch_ ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto_
summarize_ intmax_ disabled_ buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto_
summarize_ floatmax_ summary_ ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto_
summarize_ intmax_ summary_ size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto_
summarize_ intmax_ time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto_
summarize_ strsuspend_ period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto_
summarize_ strtimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron_
schedule str - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description str
- Human-readable description of this saved search. Defaults to empty string.
- disabled bool
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch_
buckets int - The maximum number of timeline buckets. Defaults to 0.
- dispatch_
earliest_ strtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
index_ strearliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
index_ strlatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
indexed_ boolrealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
indexed_ intrealtime_ minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch_
indexed_ intrealtime_ offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch_
latest_ strtime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
lookups bool - Enables or disables the lookups for this search. Defaults to 1.
- dispatch_
max_ intcount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch_
max_ inttime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch_
reduce_ intfreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch_
rt_ boolbackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch_
rt_ intmaximum_ span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch_
spawn_ boolprocess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch_
time_ strformat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch_
ttl str - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display_
view str - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is_
scheduled bool - Whether this search is to be run on a schedule
- is_
visible bool - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max_
concurrent int - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name str
- A name for the search.
- realtime_
schedule bool - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request_
ui_ strdispatch_ app - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request_
ui_ strdispatch_ view - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart_
on_ boolsearchpeer_ add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run_
on_ boolstartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule_
priority str - Raises the scheduling priority of the named search. Defaults to Default
- schedule_
window str - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- vsid str
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload_
pool str - Specifies the new workload pool where the existing running search will be placed.`
- search String
- Required when creating a new search.
- acl Property Map
- The app/user context that is the namespace for the resource
- action
Create StringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action
Create StringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- action
Create StringXsoar Incident Param Details - XSOAR incident description
- action
Create StringXsoar Incident Param Incident Name - XSOAR incident name
- action
Create StringXsoar Incident Param Occurred - XSOAR incident time
- action
Create StringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action
Create StringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- action
Create StringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action
Create StringXsoar Incident Param Type - XSOAR incident type
- action
Email StringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action
Email StringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action
Email StringBcc - BCC email address to use if action.email is enabled.
- action
Email StringCc - CC email address to use if action.email is enabled.
- action
Email StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Email StringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action
Email StringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action
Email StringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action
Email NumberInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- action
Email NumberInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action
Email NumberInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action
Email NumberInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action
Email NumberInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action
Email BooleanInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action
Email StringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action
Email NumberMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action
Email StringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action
Email StringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action
Email StringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action
Email StringPdfview - The name of the view to deliver if sendpdf is enabled
- action
Email StringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action
Email StringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action
Email BooleanReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- action
Email StringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action
Email StringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action
Email BooleanReport Server Enabled - No Supported
- action
Email StringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action
Email NumberSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- action
Email BooleanSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action
Email BooleanSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action
Email StringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action
Email StringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action
Email BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Email StringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action
Email BooleanUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action
Email BooleanUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action
Email BooleanWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action
Jira StringService Desk Param Account - Jira Service Desk account name
- action
Jira StringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action
Jira StringService Desk Param Jira Description - Jira issue description
- action
Jira StringService Desk Param Jira Issue Type - Jira issue type name
- action
Jira StringService Desk Param Jira Priority - Jira priority of issue
- action
Jira StringService Desk Param Jira Project - Jira Project name
- action
Jira StringService Desk Param Jira Summary - Jira issue title/summary
- action
Pagerduty StringCustom Details - The PagerDuty custom details information.
- action
Pagerduty StringIntegration Key - The PagerDuty integration Key.
- action
Pagerduty StringIntegration Key Override - The PagerDuty integration Key override.
- action
Pagerduty StringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Pagerduty StringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Populate StringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- action
Populate StringLookup Dest - Lookup name of path of the lookup to populate
- action
Populate StringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Populate NumberLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Populate NumberLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action
Populate BooleanLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Populate StringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action
Rss StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Rss StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Rss NumberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Rss NumberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Rss BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Rss StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Script StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Script StringFilename - File name of the script to call. Required if script action is enabled
- action
Script StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Script NumberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Script NumberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Script BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Script StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Slack StringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- action
Slack StringParam Channel - Slack channel to send the message to (Should start with # or @)
- action
Slack StringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action
Slack StringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action
Slack StringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action
Snow StringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action
Snow StringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action
Snow StringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action
Snow StringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action
Snow StringEvent Param Description - A brief description of the event.
- action
Snow StringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action
Snow StringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action
Snow NumberEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action
Snow StringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action
Summary StringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Summary StringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Summary BooleanIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action
Summary NumberIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Summary NumberIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Summary StringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action
Summary BooleanIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Summary StringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Webhook StringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions String
- A comma-separated list of actions to enable. For example: rss,email
- alert
Comparator String - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert
Condition String - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert
Digest BooleanMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert
Expires String - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Severity Number - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert
Suppress Boolean - Indicates whether alert suppression is enabled for this scheduled search.
- alert
Suppress StringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert
Suppress StringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Threshold String - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert
Track Boolean - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert
Type String - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow
Skew String - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto
Summarize Boolean - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto
Summarize StringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto
Summarize StringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto
Summarize StringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto
Summarize StringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto
Summarize NumberMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto
Summarize NumberMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto
Summarize NumberMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto
Summarize NumberMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto
Summarize StringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto
Summarize StringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron
Schedule String - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description String
- Human-readable description of this saved search. Defaults to empty string.
- disabled Boolean
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch
Buckets Number - The maximum number of timeline buckets. Defaults to 0.
- dispatch
Earliest StringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed BooleanRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed NumberRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Indexed NumberRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Latest StringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Lookups Boolean - Enables or disables the lookups for this search. Defaults to 1.
- dispatch
Max NumberCount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch
Max NumberTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch
Reduce NumberFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch
Rt BooleanBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch
Rt NumberMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch
Spawn BooleanProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch
Time StringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch
Ttl String - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display
View String - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is
Scheduled Boolean - Whether this search is to be run on a schedule
- is
Visible Boolean - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max
Concurrent Number - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name String
- A name for the search.
- realtime
Schedule Boolean - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request
Ui StringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request
Ui StringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart
On BooleanSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run
On BooleanStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule
Priority String - Raises the scheduling priority of the named search. Defaults to Default
- schedule
Window String - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- vsid String
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload
Pool String - Specifies the new workload pool where the existing running search will be placed.`
Outputs
All input properties are implicitly available as output properties. Additionally, the SavedSearches resource produces the following output properties:
- Action
Email bool - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Populate boolLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Rss bool - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Script bool - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Summary boolIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Id string
- The provider-assigned unique ID for this managed resource.
- Action
Email bool - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Populate boolLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Rss bool - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Script bool - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Summary boolIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Id string
- The provider-assigned unique ID for this managed resource.
- action
Email Boolean - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Populate BooleanLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Rss Boolean - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action
Script Boolean - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Summary BooleanIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- id String
- The provider-assigned unique ID for this managed resource.
- action
Email boolean - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Populate booleanLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Rss boolean - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action
Script boolean - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Summary booleanIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- id string
- The provider-assigned unique ID for this managed resource.
- action_
email bool - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
populate_ boollookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
rss bool - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action_
script bool - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
summary_ boolindex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- id str
- The provider-assigned unique ID for this managed resource.
- action
Email Boolean - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Populate BooleanLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Rss Boolean - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action
Script Boolean - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Summary BooleanIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SavedSearches Resource
Get an existing SavedSearches resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SavedSearchesState, opts?: CustomResourceOptions): SavedSearches@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
acl: Optional[SavedSearchesAclArgs] = None,
action_create_xsoar_incident: Optional[str] = None,
action_create_xsoar_incident_param_custom_fields: Optional[str] = None,
action_create_xsoar_incident_param_details: Optional[str] = None,
action_create_xsoar_incident_param_incident_name: Optional[str] = None,
action_create_xsoar_incident_param_occurred: Optional[str] = None,
action_create_xsoar_incident_param_send_all_servers: Optional[str] = None,
action_create_xsoar_incident_param_server_url: Optional[str] = None,
action_create_xsoar_incident_param_severity: Optional[str] = None,
action_create_xsoar_incident_param_type: Optional[str] = None,
action_email: Optional[bool] = None,
action_email_auth_password: Optional[str] = None,
action_email_auth_username: Optional[str] = None,
action_email_bcc: Optional[str] = None,
action_email_cc: Optional[str] = None,
action_email_command: Optional[str] = None,
action_email_format: Optional[str] = None,
action_email_from: Optional[str] = None,
action_email_hostname: Optional[str] = None,
action_email_include_results_link: Optional[int] = None,
action_email_include_search: Optional[int] = None,
action_email_include_trigger: Optional[int] = None,
action_email_include_trigger_time: Optional[int] = None,
action_email_include_view_link: Optional[int] = None,
action_email_inline: Optional[bool] = None,
action_email_mailserver: Optional[str] = None,
action_email_max_results: Optional[int] = None,
action_email_max_time: Optional[str] = None,
action_email_message_alert: Optional[str] = None,
action_email_message_report: Optional[str] = None,
action_email_pdfview: Optional[str] = None,
action_email_preprocess_results: Optional[str] = None,
action_email_report_cid_font_list: Optional[str] = None,
action_email_report_include_splunk_logo: Optional[bool] = None,
action_email_report_paper_orientation: Optional[str] = None,
action_email_report_paper_size: Optional[str] = None,
action_email_report_server_enabled: Optional[bool] = None,
action_email_report_server_url: Optional[str] = None,
action_email_send_csv: Optional[int] = None,
action_email_send_pdf: Optional[bool] = None,
action_email_send_results: Optional[bool] = None,
action_email_subject: Optional[str] = None,
action_email_to: Optional[str] = None,
action_email_track_alert: Optional[bool] = None,
action_email_ttl: Optional[str] = None,
action_email_use_ssl: Optional[bool] = None,
action_email_use_tls: Optional[bool] = None,
action_email_width_sort_columns: Optional[bool] = None,
action_jira_service_desk_param_account: Optional[str] = None,
action_jira_service_desk_param_jira_customfields: Optional[str] = None,
action_jira_service_desk_param_jira_description: Optional[str] = None,
action_jira_service_desk_param_jira_issue_type: Optional[str] = None,
action_jira_service_desk_param_jira_priority: Optional[str] = None,
action_jira_service_desk_param_jira_project: Optional[str] = None,
action_jira_service_desk_param_jira_summary: Optional[str] = None,
action_pagerduty_custom_details: Optional[str] = None,
action_pagerduty_integration_key: Optional[str] = None,
action_pagerduty_integration_key_override: Optional[str] = None,
action_pagerduty_integration_url: Optional[str] = None,
action_pagerduty_integration_url_override: Optional[str] = None,
action_populate_lookup: Optional[bool] = None,
action_populate_lookup_command: Optional[str] = None,
action_populate_lookup_dest: Optional[str] = None,
action_populate_lookup_hostname: Optional[str] = None,
action_populate_lookup_max_results: Optional[int] = None,
action_populate_lookup_max_time: Optional[int] = None,
action_populate_lookup_track_alert: Optional[bool] = None,
action_populate_lookup_ttl: Optional[str] = None,
action_rss: Optional[bool] = None,
action_rss_command: Optional[str] = None,
action_rss_hostname: Optional[str] = None,
action_rss_max_results: Optional[int] = None,
action_rss_max_time: Optional[int] = None,
action_rss_track_alert: Optional[bool] = None,
action_rss_ttl: Optional[str] = None,
action_script: Optional[bool] = None,
action_script_command: Optional[str] = None,
action_script_filename: Optional[str] = None,
action_script_hostname: Optional[str] = None,
action_script_max_results: Optional[int] = None,
action_script_max_time: Optional[int] = None,
action_script_track_alert: Optional[bool] = None,
action_script_ttl: Optional[str] = None,
action_slack_param_attachment: Optional[str] = None,
action_slack_param_channel: Optional[str] = None,
action_slack_param_fields: Optional[str] = None,
action_slack_param_message: Optional[str] = None,
action_slack_param_webhook_url_override: Optional[str] = None,
action_snow_event_param_account: Optional[str] = None,
action_snow_event_param_additional_info: Optional[str] = None,
action_snow_event_param_ci_identifier: Optional[str] = None,
action_snow_event_param_custom_fields: Optional[str] = None,
action_snow_event_param_description: Optional[str] = None,
action_snow_event_param_node: Optional[str] = None,
action_snow_event_param_resource: Optional[str] = None,
action_snow_event_param_severity: Optional[int] = None,
action_snow_event_param_type: Optional[str] = None,
action_summary_index: Optional[bool] = None,
action_summary_index_command: Optional[str] = None,
action_summary_index_hostname: Optional[str] = None,
action_summary_index_inline: Optional[bool] = None,
action_summary_index_max_results: Optional[int] = None,
action_summary_index_max_time: Optional[int] = None,
action_summary_index_name: Optional[str] = None,
action_summary_index_track_alert: Optional[bool] = None,
action_summary_index_ttl: Optional[str] = None,
action_webhook_param_url: Optional[str] = None,
actions: Optional[str] = None,
alert_comparator: Optional[str] = None,
alert_condition: Optional[str] = None,
alert_digest_mode: Optional[bool] = None,
alert_expires: Optional[str] = None,
alert_severity: Optional[int] = None,
alert_suppress: Optional[bool] = None,
alert_suppress_fields: Optional[str] = None,
alert_suppress_period: Optional[str] = None,
alert_threshold: Optional[str] = None,
alert_track: Optional[bool] = None,
alert_type: Optional[str] = None,
allow_skew: Optional[str] = None,
auto_summarize: Optional[bool] = None,
auto_summarize_command: Optional[str] = None,
auto_summarize_cron_schedule: Optional[str] = None,
auto_summarize_dispatch_earliest_time: Optional[str] = None,
auto_summarize_dispatch_latest_time: Optional[str] = None,
auto_summarize_dispatch_time_format: Optional[str] = None,
auto_summarize_dispatch_ttl: Optional[str] = None,
auto_summarize_max_disabled_buckets: Optional[int] = None,
auto_summarize_max_summary_ratio: Optional[float] = None,
auto_summarize_max_summary_size: Optional[int] = None,
auto_summarize_max_time: Optional[int] = None,
auto_summarize_suspend_period: Optional[str] = None,
auto_summarize_timespan: Optional[str] = None,
cron_schedule: Optional[str] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
dispatch_buckets: Optional[int] = None,
dispatch_earliest_time: Optional[str] = None,
dispatch_index_earliest: Optional[str] = None,
dispatch_index_latest: Optional[str] = None,
dispatch_indexed_realtime: Optional[bool] = None,
dispatch_indexed_realtime_minspan: Optional[int] = None,
dispatch_indexed_realtime_offset: Optional[int] = None,
dispatch_latest_time: Optional[str] = None,
dispatch_lookups: Optional[bool] = None,
dispatch_max_count: Optional[int] = None,
dispatch_max_time: Optional[int] = None,
dispatch_reduce_freq: Optional[int] = None,
dispatch_rt_backfill: Optional[bool] = None,
dispatch_rt_maximum_span: Optional[int] = None,
dispatch_spawn_process: Optional[bool] = None,
dispatch_time_format: Optional[str] = None,
dispatch_ttl: Optional[str] = None,
display_view: Optional[str] = None,
is_scheduled: Optional[bool] = None,
is_visible: Optional[bool] = None,
max_concurrent: Optional[int] = None,
name: Optional[str] = None,
realtime_schedule: Optional[bool] = None,
request_ui_dispatch_app: Optional[str] = None,
request_ui_dispatch_view: Optional[str] = None,
restart_on_searchpeer_add: Optional[bool] = None,
run_on_startup: Optional[bool] = None,
schedule_priority: Optional[str] = None,
schedule_window: Optional[str] = None,
search: Optional[str] = None,
vsid: Optional[str] = None,
workload_pool: Optional[str] = None) -> SavedSearchesfunc GetSavedSearches(ctx *Context, name string, id IDInput, state *SavedSearchesState, opts ...ResourceOption) (*SavedSearches, error)public static SavedSearches Get(string name, Input<string> id, SavedSearchesState? state, CustomResourceOptions? opts = null)public static SavedSearches get(String name, Output<String> id, SavedSearchesState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Acl
Saved
Searches Acl - The app/user context that is the namespace for the resource
- Action
Create stringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- Action
Create stringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- Action
Create stringXsoar Incident Param Details - XSOAR incident description
- Action
Create stringXsoar Incident Param Incident Name - XSOAR incident name
- Action
Create stringXsoar Incident Param Occurred - XSOAR incident time
- Action
Create stringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- Action
Create stringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- Action
Create stringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- Action
Create stringXsoar Incident Param Type - XSOAR incident type
- Action
Email bool - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Email stringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- Action
Email stringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- Action
Email stringBcc - BCC email address to use if action.email is enabled.
- Action
Email stringCc - CC email address to use if action.email is enabled.
- Action
Email stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Email stringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- Action
Email stringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- Action
Email stringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- Action
Email intInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- Action
Email intInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- Action
Email intInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- Action
Email intInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- Action
Email intInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- Action
Email boolInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- Action
Email stringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- Action
Email intMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- Action
Email stringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- Action
Email stringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- Action
Email stringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- Action
Email stringPdfview - The name of the view to deliver if sendpdf is enabled
- Action
Email stringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- Action
Email stringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- Action
Email boolReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- Action
Email stringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- Action
Email stringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- Action
Email boolReport Server Enabled - No Supported
- Action
Email stringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- Action
Email intSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- Action
Email boolSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- Action
Email boolSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- Action
Email stringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- Action
Email stringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- Action
Email boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Email stringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- Action
Email boolUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- Action
Email boolUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- Action
Email boolWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- Action
Jira stringService Desk Param Account - Jira Service Desk account name
- Action
Jira stringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- Action
Jira stringService Desk Param Jira Description - Jira issue description
- Action
Jira stringService Desk Param Jira Issue Type - Jira issue type name
- Action
Jira stringService Desk Param Jira Priority - Jira priority of issue
- Action
Jira stringService Desk Param Jira Project - Jira Project name
- Action
Jira stringService Desk Param Jira Summary - Jira issue title/summary
- Action
Pagerduty stringCustom Details - The PagerDuty custom details information.
- Action
Pagerduty stringIntegration Key - The PagerDuty integration Key.
- Action
Pagerduty stringIntegration Key Override - The PagerDuty integration Key override.
- Action
Pagerduty stringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Pagerduty stringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Populate boolLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Populate stringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- Action
Populate stringLookup Dest - Lookup name of path of the lookup to populate
- Action
Populate stringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Populate intLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Populate intLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- Action
Populate boolLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Populate stringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- Action
Rss bool - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Rss stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Rss stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Rss intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Rss intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Rss boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Rss stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Script bool - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Script stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Script stringFilename - File name of the script to call. Required if script action is enabled
- Action
Script stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Script intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Script intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Script boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Script stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Slack stringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- Action
Slack stringParam Channel - Slack channel to send the message to (Should start with # or @)
- Action
Slack stringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- Action
Slack stringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- Action
Slack stringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- Action
Snow stringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- Action
Snow stringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- Action
Snow stringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- Action
Snow stringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- Action
Snow stringEvent Param Description - A brief description of the event.
- Action
Snow stringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- Action
Snow stringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- Action
Snow intEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- Action
Snow stringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- Action
Summary boolIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Summary stringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Summary stringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Summary boolIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- Action
Summary intIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Summary intIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Summary stringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- Action
Summary boolIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Summary stringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Webhook stringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- Actions string
- A comma-separated list of actions to enable. For example: rss,email
- Alert
Comparator string - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- Alert
Condition string - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- Alert
Digest boolMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- Alert
Expires string - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Severity int - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- Alert
Suppress bool - Indicates whether alert suppression is enabled for this scheduled search.
- Alert
Suppress stringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- Alert
Suppress stringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Threshold string - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- Alert
Track bool - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- Alert
Type string - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- Allow
Skew string - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- Auto
Summarize bool - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- Auto
Summarize stringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- Auto
Summarize stringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- Auto
Summarize stringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- Auto
Summarize stringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- Auto
Summarize intMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- Auto
Summarize doubleMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- Auto
Summarize intMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- Auto
Summarize intMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- Auto
Summarize stringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- Auto
Summarize stringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- Cron
Schedule string - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- Description string
- Human-readable description of this saved search. Defaults to empty string.
- Disabled bool
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- Dispatch
Buckets int - The maximum number of timeline buckets. Defaults to 0.
- Dispatch
Earliest stringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed boolRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed intRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Indexed intRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Latest stringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Lookups bool - Enables or disables the lookups for this search. Defaults to 1.
- Dispatch
Max intCount - The maximum number of results before finalizing the search. Defaults to 500000.
- Dispatch
Max intTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- Dispatch
Reduce intFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- Dispatch
Rt boolBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- Dispatch
Rt intMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- Dispatch
Spawn boolProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- Dispatch
Time stringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- Dispatch
Ttl string - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- Display
View string - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- Is
Scheduled bool - Whether this search is to be run on a schedule
- Is
Visible bool - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- Max
Concurrent int - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- Name string
- A name for the search.
- Realtime
Schedule bool - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- Request
Ui stringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- Request
Ui stringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- Restart
On boolSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- Run
On boolStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- Schedule
Priority string - Raises the scheduling priority of the named search. Defaults to Default
- Schedule
Window string - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- Search string
- Required when creating a new search.
- Vsid string
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- Workload
Pool string - Specifies the new workload pool where the existing running search will be placed.`
- Acl
Saved
Searches Acl Args - The app/user context that is the namespace for the resource
- Action
Create stringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- Action
Create stringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- Action
Create stringXsoar Incident Param Details - XSOAR incident description
- Action
Create stringXsoar Incident Param Incident Name - XSOAR incident name
- Action
Create stringXsoar Incident Param Occurred - XSOAR incident time
- Action
Create stringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- Action
Create stringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- Action
Create stringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- Action
Create stringXsoar Incident Param Type - XSOAR incident type
- Action
Email bool - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Email stringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- Action
Email stringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- Action
Email stringBcc - BCC email address to use if action.email is enabled.
- Action
Email stringCc - CC email address to use if action.email is enabled.
- Action
Email stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Email stringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- Action
Email stringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- Action
Email stringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- Action
Email intInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- Action
Email intInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- Action
Email intInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- Action
Email intInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- Action
Email intInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- Action
Email boolInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- Action
Email stringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- Action
Email intMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- Action
Email stringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- Action
Email stringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- Action
Email stringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- Action
Email stringPdfview - The name of the view to deliver if sendpdf is enabled
- Action
Email stringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- Action
Email stringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- Action
Email boolReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- Action
Email stringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- Action
Email stringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- Action
Email boolReport Server Enabled - No Supported
- Action
Email stringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- Action
Email intSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- Action
Email boolSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- Action
Email boolSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- Action
Email stringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- Action
Email stringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- Action
Email boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Email stringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- Action
Email boolUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- Action
Email boolUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- Action
Email boolWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- Action
Jira stringService Desk Param Account - Jira Service Desk account name
- Action
Jira stringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- Action
Jira stringService Desk Param Jira Description - Jira issue description
- Action
Jira stringService Desk Param Jira Issue Type - Jira issue type name
- Action
Jira stringService Desk Param Jira Priority - Jira priority of issue
- Action
Jira stringService Desk Param Jira Project - Jira Project name
- Action
Jira stringService Desk Param Jira Summary - Jira issue title/summary
- Action
Pagerduty stringCustom Details - The PagerDuty custom details information.
- Action
Pagerduty stringIntegration Key - The PagerDuty integration Key.
- Action
Pagerduty stringIntegration Key Override - The PagerDuty integration Key override.
- Action
Pagerduty stringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Pagerduty stringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- Action
Populate boolLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Populate stringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- Action
Populate stringLookup Dest - Lookup name of path of the lookup to populate
- Action
Populate stringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Populate intLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Populate intLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- Action
Populate boolLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Populate stringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- Action
Rss bool - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Rss stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Rss stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Rss intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Rss intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Rss boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Rss stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Script bool - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Script stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Script stringFilename - File name of the script to call. Required if script action is enabled
- Action
Script stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Script intMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Script intMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Script boolTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Script stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Slack stringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- Action
Slack stringParam Channel - Slack channel to send the message to (Should start with # or @)
- Action
Slack stringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- Action
Slack stringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- Action
Slack stringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- Action
Snow stringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- Action
Snow stringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- Action
Snow stringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- Action
Snow stringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- Action
Snow stringEvent Param Description - A brief description of the event.
- Action
Snow stringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- Action
Snow stringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- Action
Snow intEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- Action
Snow stringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- Action
Summary boolIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- Action
Summary stringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- Action
Summary stringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- Action
Summary boolIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- Action
Summary intIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- Action
Summary intIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- Action
Summary stringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- Action
Summary boolIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- Action
Summary stringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- Action
Webhook stringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- Actions string
- A comma-separated list of actions to enable. For example: rss,email
- Alert
Comparator string - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- Alert
Condition string - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- Alert
Digest boolMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- Alert
Expires string - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Severity int - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- Alert
Suppress bool - Indicates whether alert suppression is enabled for this scheduled search.
- Alert
Suppress stringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- Alert
Suppress stringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- Alert
Threshold string - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- Alert
Track bool - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- Alert
Type string - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- Allow
Skew string - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- Auto
Summarize bool - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- Auto
Summarize stringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- Auto
Summarize stringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- Auto
Summarize stringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Auto
Summarize stringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- Auto
Summarize stringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- Auto
Summarize intMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- Auto
Summarize float64Max Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- Auto
Summarize intMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- Auto
Summarize intMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- Auto
Summarize stringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- Auto
Summarize stringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- Cron
Schedule string - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- Description string
- Human-readable description of this saved search. Defaults to empty string.
- Disabled bool
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- Dispatch
Buckets int - The maximum number of timeline buckets. Defaults to 0.
- Dispatch
Earliest stringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Index stringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed boolRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Indexed intRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Indexed intRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- Dispatch
Latest stringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- Dispatch
Lookups bool - Enables or disables the lookups for this search. Defaults to 1.
- Dispatch
Max intCount - The maximum number of results before finalizing the search. Defaults to 500000.
- Dispatch
Max intTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- Dispatch
Reduce intFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- Dispatch
Rt boolBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- Dispatch
Rt intMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- Dispatch
Spawn boolProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- Dispatch
Time stringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- Dispatch
Ttl string - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- Display
View string - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- Is
Scheduled bool - Whether this search is to be run on a schedule
- Is
Visible bool - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- Max
Concurrent int - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- Name string
- A name for the search.
- Realtime
Schedule bool - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- Request
Ui stringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- Request
Ui stringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- Restart
On boolSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- Run
On boolStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- Schedule
Priority string - Raises the scheduling priority of the named search. Defaults to Default
- Schedule
Window string - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- Search string
- Required when creating a new search.
- Vsid string
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- Workload
Pool string - Specifies the new workload pool where the existing running search will be placed.`
- acl
Saved
Searches Acl - The app/user context that is the namespace for the resource
- action
Create StringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action
Create StringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- action
Create StringXsoar Incident Param Details - XSOAR incident description
- action
Create StringXsoar Incident Param Incident Name - XSOAR incident name
- action
Create StringXsoar Incident Param Occurred - XSOAR incident time
- action
Create StringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action
Create StringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- action
Create StringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action
Create StringXsoar Incident Param Type - XSOAR incident type
- action
Email Boolean - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Email StringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action
Email StringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action
Email StringBcc - BCC email address to use if action.email is enabled.
- action
Email StringCc - CC email address to use if action.email is enabled.
- action
Email StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Email StringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action
Email StringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action
Email StringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action
Email IntegerInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- action
Email IntegerInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action
Email IntegerInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action
Email IntegerInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action
Email IntegerInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action
Email BooleanInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action
Email StringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action
Email IntegerMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action
Email StringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action
Email StringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action
Email StringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action
Email StringPdfview - The name of the view to deliver if sendpdf is enabled
- action
Email StringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action
Email StringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action
Email BooleanReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- action
Email StringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action
Email StringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action
Email BooleanReport Server Enabled - No Supported
- action
Email StringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action
Email IntegerSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- action
Email BooleanSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action
Email BooleanSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action
Email StringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action
Email StringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action
Email BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Email StringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action
Email BooleanUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action
Email BooleanUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action
Email BooleanWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action
Jira StringService Desk Param Account - Jira Service Desk account name
- action
Jira StringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action
Jira StringService Desk Param Jira Description - Jira issue description
- action
Jira StringService Desk Param Jira Issue Type - Jira issue type name
- action
Jira StringService Desk Param Jira Priority - Jira priority of issue
- action
Jira StringService Desk Param Jira Project - Jira Project name
- action
Jira StringService Desk Param Jira Summary - Jira issue title/summary
- action
Pagerduty StringCustom Details - The PagerDuty custom details information.
- action
Pagerduty StringIntegration Key - The PagerDuty integration Key.
- action
Pagerduty StringIntegration Key Override - The PagerDuty integration Key override.
- action
Pagerduty StringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Pagerduty StringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Populate BooleanLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Populate StringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- action
Populate StringLookup Dest - Lookup name of path of the lookup to populate
- action
Populate StringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Populate IntegerLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Populate IntegerLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action
Populate BooleanLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Populate StringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action
Rss Boolean - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action
Rss StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Rss StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Rss IntegerMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Rss IntegerMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Rss BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Rss StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Script Boolean - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Script StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Script StringFilename - File name of the script to call. Required if script action is enabled
- action
Script StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Script IntegerMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Script IntegerMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Script BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Script StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Slack StringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- action
Slack StringParam Channel - Slack channel to send the message to (Should start with # or @)
- action
Slack StringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action
Slack StringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action
Slack StringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action
Snow StringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action
Snow StringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action
Snow StringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action
Snow StringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action
Snow StringEvent Param Description - A brief description of the event.
- action
Snow StringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action
Snow StringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action
Snow IntegerEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action
Snow StringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action
Summary BooleanIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Summary StringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Summary StringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Summary BooleanIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action
Summary IntegerIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Summary IntegerIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Summary StringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action
Summary BooleanIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Summary StringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Webhook StringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions String
- A comma-separated list of actions to enable. For example: rss,email
- alert
Comparator String - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert
Condition String - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert
Digest BooleanMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert
Expires String - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Severity Integer - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert
Suppress Boolean - Indicates whether alert suppression is enabled for this scheduled search.
- alert
Suppress StringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert
Suppress StringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Threshold String - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert
Track Boolean - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert
Type String - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow
Skew String - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto
Summarize Boolean - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto
Summarize StringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto
Summarize StringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto
Summarize StringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto
Summarize StringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto
Summarize IntegerMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto
Summarize DoubleMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto
Summarize IntegerMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto
Summarize IntegerMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto
Summarize StringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto
Summarize StringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron
Schedule String - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description String
- Human-readable description of this saved search. Defaults to empty string.
- disabled Boolean
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch
Buckets Integer - The maximum number of timeline buckets. Defaults to 0.
- dispatch
Earliest StringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed BooleanRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed IntegerRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Indexed IntegerRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Latest StringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Lookups Boolean - Enables or disables the lookups for this search. Defaults to 1.
- dispatch
Max IntegerCount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch
Max IntegerTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch
Reduce IntegerFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch
Rt BooleanBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch
Rt IntegerMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch
Spawn BooleanProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch
Time StringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch
Ttl String - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display
View String - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is
Scheduled Boolean - Whether this search is to be run on a schedule
- is
Visible Boolean - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max
Concurrent Integer - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name String
- A name for the search.
- realtime
Schedule Boolean - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request
Ui StringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request
Ui StringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart
On BooleanSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run
On BooleanStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule
Priority String - Raises the scheduling priority of the named search. Defaults to Default
- schedule
Window String - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- search String
- Required when creating a new search.
- vsid String
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload
Pool String - Specifies the new workload pool where the existing running search will be placed.`
- acl
Saved
Searches Acl - The app/user context that is the namespace for the resource
- action
Create stringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action
Create stringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- action
Create stringXsoar Incident Param Details - XSOAR incident description
- action
Create stringXsoar Incident Param Incident Name - XSOAR incident name
- action
Create stringXsoar Incident Param Occurred - XSOAR incident time
- action
Create stringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action
Create stringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- action
Create stringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action
Create stringXsoar Incident Param Type - XSOAR incident type
- action
Email boolean - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Email stringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action
Email stringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action
Email stringBcc - BCC email address to use if action.email is enabled.
- action
Email stringCc - CC email address to use if action.email is enabled.
- action
Email stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Email stringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action
Email stringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action
Email stringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action
Email numberInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- action
Email numberInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action
Email numberInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action
Email numberInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action
Email numberInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action
Email booleanInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action
Email stringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action
Email numberMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action
Email stringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action
Email stringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action
Email stringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action
Email stringPdfview - The name of the view to deliver if sendpdf is enabled
- action
Email stringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action
Email stringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action
Email booleanReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- action
Email stringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action
Email stringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action
Email booleanReport Server Enabled - No Supported
- action
Email stringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action
Email numberSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- action
Email booleanSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action
Email booleanSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action
Email stringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action
Email stringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action
Email booleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Email stringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action
Email booleanUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action
Email booleanUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action
Email booleanWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action
Jira stringService Desk Param Account - Jira Service Desk account name
- action
Jira stringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action
Jira stringService Desk Param Jira Description - Jira issue description
- action
Jira stringService Desk Param Jira Issue Type - Jira issue type name
- action
Jira stringService Desk Param Jira Priority - Jira priority of issue
- action
Jira stringService Desk Param Jira Project - Jira Project name
- action
Jira stringService Desk Param Jira Summary - Jira issue title/summary
- action
Pagerduty stringCustom Details - The PagerDuty custom details information.
- action
Pagerduty stringIntegration Key - The PagerDuty integration Key.
- action
Pagerduty stringIntegration Key Override - The PagerDuty integration Key override.
- action
Pagerduty stringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Pagerduty stringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Populate booleanLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Populate stringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- action
Populate stringLookup Dest - Lookup name of path of the lookup to populate
- action
Populate stringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Populate numberLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Populate numberLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action
Populate booleanLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Populate stringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action
Rss boolean - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action
Rss stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Rss stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Rss numberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Rss numberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Rss booleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Rss stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Script boolean - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Script stringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Script stringFilename - File name of the script to call. Required if script action is enabled
- action
Script stringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Script numberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Script numberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Script booleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Script stringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Slack stringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- action
Slack stringParam Channel - Slack channel to send the message to (Should start with # or @)
- action
Slack stringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action
Slack stringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action
Slack stringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action
Snow stringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action
Snow stringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action
Snow stringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action
Snow stringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action
Snow stringEvent Param Description - A brief description of the event.
- action
Snow stringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action
Snow stringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action
Snow numberEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action
Snow stringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action
Summary booleanIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Summary stringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Summary stringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Summary booleanIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action
Summary numberIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Summary numberIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Summary stringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action
Summary booleanIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Summary stringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Webhook stringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions string
- A comma-separated list of actions to enable. For example: rss,email
- alert
Comparator string - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert
Condition string - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert
Digest booleanMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert
Expires string - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Severity number - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert
Suppress boolean - Indicates whether alert suppression is enabled for this scheduled search.
- alert
Suppress stringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert
Suppress stringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Threshold string - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert
Track boolean - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert
Type string - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow
Skew string - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto
Summarize boolean - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto
Summarize stringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto
Summarize stringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto
Summarize stringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize stringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize stringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto
Summarize stringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto
Summarize numberMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto
Summarize numberMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto
Summarize numberMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto
Summarize numberMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto
Summarize stringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto
Summarize stringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron
Schedule string - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description string
- Human-readable description of this saved search. Defaults to empty string.
- disabled boolean
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch
Buckets number - The maximum number of timeline buckets. Defaults to 0.
- dispatch
Earliest stringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index stringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index stringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed booleanRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed numberRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Indexed numberRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Latest stringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Lookups boolean - Enables or disables the lookups for this search. Defaults to 1.
- dispatch
Max numberCount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch
Max numberTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch
Reduce numberFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch
Rt booleanBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch
Rt numberMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch
Spawn booleanProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch
Time stringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch
Ttl string - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display
View string - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is
Scheduled boolean - Whether this search is to be run on a schedule
- is
Visible boolean - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max
Concurrent number - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name string
- A name for the search.
- realtime
Schedule boolean - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request
Ui stringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request
Ui stringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart
On booleanSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run
On booleanStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule
Priority string - Raises the scheduling priority of the named search. Defaults to Default
- schedule
Window string - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- search string
- Required when creating a new search.
- vsid string
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload
Pool string - Specifies the new workload pool where the existing running search will be placed.`
- acl
Saved
Searches Acl Args - The app/user context that is the namespace for the resource
- action_
create_ strxsoar_ incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action_
create_ strxsoar_ incident_ param_ custom_ fields - XSOAR custom incident fields (should be a comma separated list)
- action_
create_ strxsoar_ incident_ param_ details - XSOAR incident description
- action_
create_ strxsoar_ incident_ param_ incident_ name - XSOAR incident name
- action_
create_ strxsoar_ incident_ param_ occurred - XSOAR incident time
- action_
create_ strxsoar_ incident_ param_ send_ all_ servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action_
create_ strxsoar_ incident_ param_ server_ url - XSOAR Server instance URL (Should start with https:// || http://)
- action_
create_ strxsoar_ incident_ param_ severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action_
create_ strxsoar_ incident_ param_ type - XSOAR incident type
- action_
email bool - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
email_ strauth_ password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action_
email_ strauth_ username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action_
email_ strbcc - BCC email address to use if action.email is enabled.
- action_
email_ strcc - CC email address to use if action.email is enabled.
- action_
email_ strcommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
email_ strformat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action_
email_ strfrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action_
email_ strhostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action_
email_ intinclude_ results_ link - Specify whether to include a link to the results. Defaults to 0.
- action_
email_ intinclude_ search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action_
email_ intinclude_ trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action_
email_ intinclude_ trigger_ time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action_
email_ intinclude_ view_ link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action_
email_ boolinline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action_
email_ strmailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action_
email_ intmax_ results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action_
email_ strmax_ time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action_
email_ strmessage_ alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action_
email_ strmessage_ report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action_
email_ strpdfview - The name of the view to deliver if sendpdf is enabled
- action_
email_ strpreprocess_ results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action_
email_ strreport_ cid_ font_ list - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action_
email_ boolreport_ include_ splunk_ logo - Indicates whether to include the Splunk logo with the report.
- action_
email_ strreport_ paper_ orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action_
email_ strreport_ paper_ size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action_
email_ boolreport_ server_ enabled - No Supported
- action_
email_ strreport_ server_ url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action_
email_ intsend_ csv - Specify whether to send results as a CSV file. Defaults to 0.
- action_
email_ boolsend_ pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action_
email_ boolsend_ results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action_
email_ strsubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action_
email_ strto - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action_
email_ booltrack_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
email_ strttl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action_
email_ booluse_ ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action_
email_ booluse_ tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action_
email_ boolwidth_ sort_ columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action_
jira_ strservice_ desk_ param_ account - Jira Service Desk account name
- action_
jira_ strservice_ desk_ param_ jira_ customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action_
jira_ strservice_ desk_ param_ jira_ description - Jira issue description
- action_
jira_ strservice_ desk_ param_ jira_ issue_ type - Jira issue type name
- action_
jira_ strservice_ desk_ param_ jira_ priority - Jira priority of issue
- action_
jira_ strservice_ desk_ param_ jira_ project - Jira Project name
- action_
jira_ strservice_ desk_ param_ jira_ summary - Jira issue title/summary
- action_
pagerduty_ strcustom_ details - The PagerDuty custom details information.
- action_
pagerduty_ strintegration_ key - The PagerDuty integration Key.
- action_
pagerduty_ strintegration_ key_ override - The PagerDuty integration Key override.
- action_
pagerduty_ strintegration_ url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action_
pagerduty_ strintegration_ url_ override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action_
populate_ boollookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
populate_ strlookup_ command - The search command (or pipeline) which is responsible for executing the action.
- action_
populate_ strlookup_ dest - Lookup name of path of the lookup to populate
- action_
populate_ strlookup_ hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
populate_ intlookup_ max_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
populate_ intlookup_ max_ time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action_
populate_ boollookup_ track_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
populate_ strlookup_ ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action_
rss bool - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action_
rss_ strcommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
rss_ strhostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
rss_ intmax_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
rss_ intmax_ time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action_
rss_ booltrack_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
rss_ strttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action_
script bool - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
script_ strcommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
script_ strfilename - File name of the script to call. Required if script action is enabled
- action_
script_ strhostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
script_ intmax_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
script_ intmax_ time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action_
script_ booltrack_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
script_ strttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action_
slack_ strparam_ attachment - Include a message attachment. Valid values are message, none, or alert_link
- action_
slack_ strparam_ channel - Slack channel to send the message to (Should start with # or @)
- action_
slack_ strparam_ fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action_
slack_ strparam_ message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action_
slack_ strparam_ webhook_ url_ override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action_
snow_ strevent_ param_ account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action_
snow_ strevent_ param_ additional_ info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action_
snow_ strevent_ param_ ci_ identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action_
snow_ strevent_ param_ custom_ fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action_
snow_ strevent_ param_ description - A brief description of the event.
- action_
snow_ strevent_ param_ node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action_
snow_ strevent_ param_ resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action_
snow_ intevent_ param_ severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action_
snow_ strevent_ param_ type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action_
summary_ boolindex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action_
summary_ strindex_ command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action_
summary_ strindex_ hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action_
summary_ boolindex_ inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action_
summary_ intindex_ max_ results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action_
summary_ intindex_ max_ time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action_
summary_ strindex_ name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action_
summary_ boolindex_ track_ alert - Indicates whether the execution of this action signifies a trackable alert.
- action_
summary_ strindex_ ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action_
webhook_ strparam_ url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions str
- A comma-separated list of actions to enable. For example: rss,email
- alert_
comparator str - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert_
condition str - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert_
digest_ boolmode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert_
expires str - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert_
severity int - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert_
suppress bool - Indicates whether alert suppression is enabled for this scheduled search.
- alert_
suppress_ strfields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert_
suppress_ strperiod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert_
threshold str - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert_
track bool - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert_
type str - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow_
skew str - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto_
summarize bool - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto_
summarize_ strcommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto_
summarize_ strcron_ schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto_
summarize_ strdispatch_ earliest_ time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto_
summarize_ strdispatch_ latest_ time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto_
summarize_ strdispatch_ time_ format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto_
summarize_ strdispatch_ ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto_
summarize_ intmax_ disabled_ buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto_
summarize_ floatmax_ summary_ ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto_
summarize_ intmax_ summary_ size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto_
summarize_ intmax_ time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto_
summarize_ strsuspend_ period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto_
summarize_ strtimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron_
schedule str - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description str
- Human-readable description of this saved search. Defaults to empty string.
- disabled bool
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch_
buckets int - The maximum number of timeline buckets. Defaults to 0.
- dispatch_
earliest_ strtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
index_ strearliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
index_ strlatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
indexed_ boolrealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
indexed_ intrealtime_ minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch_
indexed_ intrealtime_ offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch_
latest_ strtime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch_
lookups bool - Enables or disables the lookups for this search. Defaults to 1.
- dispatch_
max_ intcount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch_
max_ inttime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch_
reduce_ intfreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch_
rt_ boolbackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch_
rt_ intmaximum_ span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch_
spawn_ boolprocess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch_
time_ strformat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch_
ttl str - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display_
view str - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is_
scheduled bool - Whether this search is to be run on a schedule
- is_
visible bool - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max_
concurrent int - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name str
- A name for the search.
- realtime_
schedule bool - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request_
ui_ strdispatch_ app - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request_
ui_ strdispatch_ view - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart_
on_ boolsearchpeer_ add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run_
on_ boolstartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule_
priority str - Raises the scheduling priority of the named search. Defaults to Default
- schedule_
window str - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- search str
- Required when creating a new search.
- vsid str
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload_
pool str - Specifies the new workload pool where the existing running search will be placed.`
- acl Property Map
- The app/user context that is the namespace for the resource
- action
Create StringXsoar Incident - Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
- action
Create StringXsoar Incident Param Custom Fields - XSOAR custom incident fields (should be a comma separated list)
- action
Create StringXsoar Incident Param Details - XSOAR incident description
- action
Create StringXsoar Incident Param Incident Name - XSOAR incident name
- action
Create StringXsoar Incident Param Occurred - XSOAR incident time
- action
Create StringXsoar Incident Param Send All Servers - Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
- action
Create StringXsoar Incident Param Server Url - XSOAR Server instance URL (Should start with https:// || http://)
- action
Create StringXsoar Incident Param Severity - XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
- action
Create StringXsoar Incident Param Type - XSOAR incident type
- action
Email Boolean - The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Email StringAuth Password - The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
- action
Email StringAuth Username - The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
- action
Email StringBcc - BCC email address to use if action.email is enabled.
- action
Email StringCc - CC email address to use if action.email is enabled.
- action
Email StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Email StringFormat - Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
- action
Email StringFrom - Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
- action
Email StringHostname - Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
- action
Email NumberInclude Results Link - Specify whether to include a link to the results. Defaults to 0.
- action
Email NumberInclude Search - Specify whether to include the search that caused an email to be sent. Defaults to 0.
- action
Email NumberInclude Trigger - Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
- action
Email NumberInclude Trigger Time - Specify whether to show the time that the alert was fired. Defaults to 0.
- action
Email NumberInclude View Link - Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
- action
Email BooleanInline - Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
- action
Email StringMailserver - Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
- action
Email NumberMax Results - Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
- action
Email StringMax Time - Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
- action
Email StringMessage Alert - Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
- action
Email StringMessage Report - Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
- action
Email StringPdfview - The name of the view to deliver if sendpdf is enabled
- action
Email StringPreprocess Results - Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
- action
Email StringReport Cid Font List - Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
- action
Email BooleanReport Include Splunk Logo - Indicates whether to include the Splunk logo with the report.
- action
Email StringReport Paper Orientation - Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
- action
Email StringReport Paper Size - Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
- action
Email BooleanReport Server Enabled - No Supported
- action
Email StringReport Server Url - Not supported.For a default locally installed report server, the URL is http://localhost:8091/
- action
Email NumberSend Csv - Specify whether to send results as a CSV file. Defaults to 0.
- action
Email BooleanSend Pdf - Indicates whether to create and send the results as a PDF. Defaults to false.
- action
Email BooleanSend Results - Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
- action
Email StringSubject - Specifies an alternate email subject.Defaults to SplunkAlert-.
- action
Email StringTo - A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
- action
Email BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Email StringTtl - Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
- action
Email BooleanUse Ssl - Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
- action
Email BooleanUse Tls - Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
- action
Email BooleanWidth Sort Columns - Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
- action
Jira StringService Desk Param Account - Jira Service Desk account name
- action
Jira StringService Desk Param Jira Customfields - Jira custom fields data (see https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html)
- action
Jira StringService Desk Param Jira Description - Jira issue description
- action
Jira StringService Desk Param Jira Issue Type - Jira issue type name
- action
Jira StringService Desk Param Jira Priority - Jira priority of issue
- action
Jira StringService Desk Param Jira Project - Jira Project name
- action
Jira StringService Desk Param Jira Summary - Jira issue title/summary
- action
Pagerduty StringCustom Details - The PagerDuty custom details information.
- action
Pagerduty StringIntegration Key - The PagerDuty integration Key.
- action
Pagerduty StringIntegration Key Override - The PagerDuty integration Key override.
- action
Pagerduty StringIntegration Url - The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Pagerduty StringIntegration Url Override - The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
- action
Populate BooleanLookup - The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Populate StringLookup Command - The search command (or pipeline) which is responsible for executing the action.
- action
Populate StringLookup Dest - Lookup name of path of the lookup to populate
- action
Populate StringLookup Hostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Populate NumberLookup Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Populate NumberLookup Max Time - Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
- action
Populate BooleanLookup Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Populate StringLookup Ttl - Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
- action
Rss Boolean - The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
- action
Rss StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Rss StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Rss NumberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Rss NumberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Rss BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Rss StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Script Boolean - The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Script StringCommand - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Script StringFilename - File name of the script to call. Required if script action is enabled
- action
Script StringHostname - Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Script NumberMax Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Script NumberMax Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Script BooleanTrack Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Script StringTtl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Slack StringParam Attachment - Include a message attachment. Valid values are message, none, or alert_link
- action
Slack StringParam Channel - Slack channel to send the message to (Should start with # or @)
- action
Slack StringParam Fields - Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
- action
Slack StringParam Message - Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
- action
Slack StringParam Webhook Url Override - You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
- action
Snow StringEvent Param Account - Account(s) for which the event is/ are to be created across ServiceNow instance(s).
- action
Snow StringEvent Param Additional Info - You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
- action
Snow StringEvent Param Ci Identifier - String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
- action
Snow StringEvent Param Custom Fields - The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
- action
Snow StringEvent Param Description - A brief description of the event.
- action
Snow StringEvent Param Node - The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
- action
Snow StringEvent Param Resource - The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
- action
Snow NumberEvent Param Severity - The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
- action
Snow StringEvent Param Type - The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
- action
Summary BooleanIndex - The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
- action
Summary StringIndex Command - The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
- action
Summary StringIndex Hostname - Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
- action
Summary BooleanIndex Inline - Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
- action
Summary NumberIndex Max Results - Sets the maximum number of search results sent using alerts. Defaults to 100.
- action
Summary NumberIndex Max Time - Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
- action
Summary StringIndex Name - Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
- action
Summary BooleanIndex Track Alert - Indicates whether the execution of this action signifies a trackable alert.
- action
Summary StringIndex Ttl - Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
- action
Webhook StringParam Url - URL to send the HTTP POST request to. Must be accessible from the Splunk server
- actions String
- A comma-separated list of actions to enable. For example: rss,email
- alert
Comparator String - One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
- alert
Condition String - Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
- alert
Digest BooleanMode - Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
- alert
Expires String - Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Severity Number - Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
- alert
Suppress Boolean - Indicates whether alert suppression is enabled for this scheduled search.
- alert
Suppress StringFields - Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
- alert
Suppress StringPeriod - Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
- alert
Threshold String - Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
- alert
Track Boolean - Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
- alert
Type String - What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
- allow
Skew String - Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
- auto
Summarize Boolean - Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
- auto
Summarize StringCommand - An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
- auto
Summarize StringCron Schedule - Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
- auto
Summarize StringDispatch Earliest Time - A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Latest Time - A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- auto
Summarize StringDispatch Time Format - Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
- auto
Summarize StringDispatch Ttl - Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
- auto
Summarize NumberMax Disabled Buckets - The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
- auto
Summarize NumberMax Summary Ratio - The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
- auto
Summarize NumberMax Summary Size - The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
- auto
Summarize NumberMax Time - Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
- auto
Summarize StringSuspend Period - Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
- auto
Summarize StringTimespan - The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
- cron
Schedule String - Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
- description String
- Human-readable description of this saved search. Defaults to empty string.
- disabled Boolean
- Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
- dispatch
Buckets Number - The maximum number of timeline buckets. Defaults to 0.
- dispatch
Earliest StringTime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringEarliest - A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Index StringLatest - A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed BooleanRealtime - A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Indexed NumberRealtime Minspan - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Indexed NumberRealtime Offset - Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
- dispatch
Latest StringTime - A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
- dispatch
Lookups Boolean - Enables or disables the lookups for this search. Defaults to 1.
- dispatch
Max NumberCount - The maximum number of results before finalizing the search. Defaults to 500000.
- dispatch
Max NumberTime - Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
- dispatch
Reduce NumberFreq - Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
- dispatch
Rt BooleanBackfill - Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
- dispatch
Rt NumberMaximum Span - Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
- dispatch
Spawn BooleanProcess - Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
- dispatch
Time StringFormat - A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
- dispatch
Ttl String - Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
- display
View String - Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
- is
Scheduled Boolean - Whether this search is to be run on a schedule
- is
Visible Boolean - Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
- max
Concurrent Number - The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
- name String
- A name for the search.
- realtime
Schedule Boolean - Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
- request
Ui StringDispatch App - Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
- request
Ui StringDispatch View - Specifies a field used by Splunk Web to denote the view this search should be displayed in.
- restart
On BooleanSearchpeer Add - Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
- run
On BooleanStartup - Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
- schedule
Priority String - Raises the scheduling priority of the named search. Defaults to Default
- schedule
Window String - Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
- search String
- Required when creating a new search.
- vsid String
- Defines the viewstate id associated with the UI view listed in 'displayview'.
- workload
Pool String - Specifies the new workload pool where the existing running search will be placed.`
Supporting Types
SavedSearchesAcl, SavedSearchesAclArgs
- App string
- The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
- Can
Change boolPerms - Indicates if the active user can change permissions for this object. Defaults to true.
- bool
- Indicates if the active user can change sharing to app level. Defaults to true.
- bool
- Indicates if the active user can change sharing to system level. Defaults to true.
- bool
- Indicates if the active user can change sharing to user level. Defaults to true.
- Can
Write bool - Indicates if the active user can edit this object. Defaults to true.
- Owner string
- User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
- Reads List<string>
- Properties that indicate resource read permissions.
- Removable bool
- Indicates whether an admin or user with sufficient permissions can delete the entity.
- string
- Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
- Writes List<string>
- Properties that indicate write permissions of the resource.
- App string
- The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
- Can
Change boolPerms - Indicates if the active user can change permissions for this object. Defaults to true.
- bool
- Indicates if the active user can change sharing to app level. Defaults to true.
- bool
- Indicates if the active user can change sharing to system level. Defaults to true.
- bool
- Indicates if the active user can change sharing to user level. Defaults to true.
- Can
Write bool - Indicates if the active user can edit this object. Defaults to true.
- Owner string
- User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
- Reads []string
- Properties that indicate resource read permissions.
- Removable bool
- Indicates whether an admin or user with sufficient permissions can delete the entity.
- string
- Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
- Writes []string
- Properties that indicate write permissions of the resource.
- app String
- The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
- can
Change BooleanPerms - Indicates if the active user can change permissions for this object. Defaults to true.
- Boolean
- Indicates if the active user can change sharing to app level. Defaults to true.
- Boolean
- Indicates if the active user can change sharing to system level. Defaults to true.
- Boolean
- Indicates if the active user can change sharing to user level. Defaults to true.
- can
Write Boolean - Indicates if the active user can edit this object. Defaults to true.
- owner String
- User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
- reads List<String>
- Properties that indicate resource read permissions.
- removable Boolean
- Indicates whether an admin or user with sufficient permissions can delete the entity.
- String
- Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
- writes List<String>
- Properties that indicate write permissions of the resource.
- app string
- The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
- can
Change booleanPerms - Indicates if the active user can change permissions for this object. Defaults to true.
- boolean
- Indicates if the active user can change sharing to app level. Defaults to true.
- boolean
- Indicates if the active user can change sharing to system level. Defaults to true.
- boolean
- Indicates if the active user can change sharing to user level. Defaults to true.
- can
Write boolean - Indicates if the active user can edit this object. Defaults to true.
- owner string
- User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
- reads string[]
- Properties that indicate resource read permissions.
- removable boolean
- Indicates whether an admin or user with sufficient permissions can delete the entity.
- string
- Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
- writes string[]
- Properties that indicate write permissions of the resource.
- app str
- The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
- can_
change_ boolperms - Indicates if the active user can change permissions for this object. Defaults to true.
- bool
- Indicates if the active user can change sharing to app level. Defaults to true.
- bool
- Indicates if the active user can change sharing to system level. Defaults to true.
- bool
- Indicates if the active user can change sharing to user level. Defaults to true.
- can_
write bool - Indicates if the active user can edit this object. Defaults to true.
- owner str
- User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
- reads Sequence[str]
- Properties that indicate resource read permissions.
- removable bool
- Indicates whether an admin or user with sufficient permissions can delete the entity.
- str
- Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
- writes Sequence[str]
- Properties that indicate write permissions of the resource.
- app String
- The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
- can
Change BooleanPerms - Indicates if the active user can change permissions for this object. Defaults to true.
- Boolean
- Indicates if the active user can change sharing to app level. Defaults to true.
- Boolean
- Indicates if the active user can change sharing to system level. Defaults to true.
- Boolean
- Indicates if the active user can change sharing to user level. Defaults to true.
- can
Write Boolean - Indicates if the active user can edit this object. Defaults to true.
- owner String
- User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
- reads List<String>
- Properties that indicate resource read permissions.
- removable Boolean
- Indicates whether an admin or user with sufficient permissions can delete the entity.
- String
- Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
- writes List<String>
- Properties that indicate write permissions of the resource.
Package Details
- Repository
- Splunk pulumi/pulumi-splunk
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
splunkTerraform Provider.