Knowledge endpoint descriptions

Work with searches and other knowledge objects.

Define data configurations indexed and searched by the Splunk platform.
Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
Manage saved event types.
Manage search field configurations and search time tags.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Managed Splunk Cloud deployments

Use the following URL for managed deployments. If necessary, submit a support case to open port 8089 on your deployment. Please include the IP Addresses/CIDR Ranges you would like to have access from.

https://<deployment-name>.splunkcloud.com:8089

E-commerce Splunk Cloud deployments

Use the following URL for e-commerce deployments. To get the required non-SAML user credentials, submit a support case.

http://api-<deployment-name>.cloud.splunk.com:8089

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.

admin/summarization

https://<host>:<mPort>/services/admin/summarization/?by_tstats=1

Review data model acceleration information.

Authentication and authorization

Authorization to access data model acceleration information is role-based.

Name	Description
eai:appName	The app for which the lookup table applies.
eai:data	The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName	The Splunk user who created the lookup table.

Name	Type	Default	Description
eai:data required	String		Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name required	String		The lookup table filename.

Name	Description
eai:appName	The app for which the lookup table applies.
eai:attributes	Field control information.
eai:data	The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName	The Splunk user who created the lookup table.

Name	Description
attribute	The name of the calculated field, which includes the "EVAL-" prefix.
field.name	The name of the field which is being calculated with an EVAL expression.
stanza	The name of the stanza in props.conf that defines the calculated field.
type	The type of the calculated field. This is always EVAL.
value	The EVAL statement for the calculated field.

Name	Description
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	The props.conf stanza to which this field extraction applies. for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Name	Type	Description
name required	String	The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza required	String	The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type required	Enum	Valid values: (REPORT \| EXTRACT) An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.
value required	String	If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.

Name	Description
alias.*	The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Name	Type	Description
alias.*	String	The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
name required	String	The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza required	String	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.

Name	Description
attribute	Specifies the field extraction configuration. For example, LOOKUP-my_lookup.
overwrite	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform	The transforms.conf stanza that defines the lookup to apply.
type	Specifies the field extraction type. For this endpoint, this is always `LOOKUP`
value	The transform stanza with the value for the lookup.

Name	Type	Description
lookup.field.input.*	String	A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.*	String	A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
name required	String	The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite required	Boolean	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza required	String	The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform required	String	The transforms.conf stanza that defines the lookup to apply.

Name	Description
CAN_OPTIMIZE	Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk software applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Name	Type	Default	Description
CAN_OPTIMIZE	Bool	True	Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search. NOTE: This option should rarely be set to false.
CLEAN_KEYS	Boolean	True	If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
disabled	Boolean		Specifies whether the field transformation is disabled.
FORMAT	String		This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>\|$<extracting-group-number>] \tfield-value = [<string>\|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string.
KEEP_EMPTY_VALS	Boolean	False	If set to true, Splunk software preserves extracted fields with empty values.
MV_ADD	Boolean	False	If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
name required	String		The name of the field transformation.
REGEX required	String		Specify a regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string.
SOURCE_KEY required	String	_raw	Specify the KEY to which Splunk software applies REGEX.

Name	Description
CAN_OPTIMIZE	Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk software applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Name	Description
CAN_OPTIMIZE	Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk software applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:attributes	Field control information.
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Name	Description
attribute	The configuration key.
stanza	The sourcetype to rename, which is the name of a stanza in props.conf.
type	The value of the configuration key.
value	The new name for the sourcetype.

Name	Type	Default	Description
name required	String		The original sourcetype name.
value required	String		The new sourcetype name.

Name	Type	Default	Description
collection	String	`<empty>`	Name of the collection to use for this lookup. The collection should be defined in `$SPLUNK_HOME/etc/<app_name>/collections.conf` for the current app. To create a KV Store lookup, use `collection` to pass in the KV Store collection name and include the `external_type` parameter with a value of `kvstore` in your `POST` request.
name	String		The name of the lookup definition.
default_match	String		If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled	Boolean		Specifies whether the lookup definition is disabled.
external_cmd	String		Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table. This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based.
external_type	One of the following values: `python` `executable` `geo` `kvstore`	`python`	Type of external command for performing a lookup. To define a KV Store lookup, use `external_type = kvstore`. Include the KV Store `collection` name in your `POST` request.
fields_list	String		A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename	String		The name of the static lookup table file.
max_matches	Number		The maximum number of possible matches for each input lookup value.
max_offset_secs	Number		For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches	Number		The minimum number of possible matches for each input lookup value.
min_offset_secs	Number		For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
replicate_delta	Boolean	`false`	Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table.
time_field	String		For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format	String		For temporal lookups, this specifies the "strptime" format of the timestamp field.

Name	Description
CAN_OPTIMIZE	Indicates whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	Indicates whether Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.
KEEP_EMPTY_VALS	Indicates whether Splunk software preserves extracted fields with empty values.
LOOKAHEAD	For index-time filed extractions. Specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	"If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk software applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if this lookup is disabled.
eai:appName	The Splunk software app for which the lookups are defined. For example, the search app.
eai:attributes	Field control information.
eai:userName	The Splunk user for which the lookups are defined.
filename	The name of the static lookup table file.
replicate_delta	Indicates that only the changes to a CSV lookup table are replicated, rather than the entire lookup table.
type	Specifies the field extraction type. Can be either external or file.

Name	Description
eai:appName	App context for the panel.
eai:data	XML definition for the panel.
eai:userName	User who created the panel.
label	Panel label.
panel.title	Panel title.
rootNode	XML root node.

Name	Type	Default	Description
name	String		Panel name.
eai:data	XML document		Panel XML definition.

Name	Description
eai:appName	App context for the dashboard.
eai:data	XML definition for the dashboard.
eai:type	User interface type. For dashboards, this type is `view`.
eai:userName	User who created the dashboard.
isDashboard	Boolean value indicating whether the knowledge object is a dashboard.
isVisible	Boolean value indicating whether the dashboard is visible.
label	Dashboard label.
rootNode	XML root node.

Name	Type	Default	Description
name	String		Dashboard name.
eai:data	XML document		Dashboard XML definition.

Name	Description
acceleration	Indicates if acceleration is enabled for this data model.
acceleration.earliest_time	The earliest time to dispatch the search.
search	Specifies the search to accelerate this data model.

Name	Description
acceleration	Indicates whether acceleration is enabled for the data model.
concise	Indicates whether to list a concise JSON description of the data model.
description	The JSON describing the data model.
displayName	The name displayed for the data model in Splunk Web.
eai:appName	The Splunk app in which the data model was created.
eai:userName	The name of the user who created the data model.

Related answers from Splunk Community

Knowledge endpoint descriptions

Usage details

Review ACL information for an endpoint

Authentication and Authorization

App and user context

Splunk Cloud URL for REST API access

Managed Splunk Cloud deployments

E-commerce Splunk Cloud deployments

admin/summarization

GET

data/lookup-table-files

GET

POST

data/lookup-table-files/{name}

DELETE

GET

POST

data/props/calcfields

GET

POST

data/props/calcfields/{name}

DELETE

GET

POST

data/props/extractions

GET

POST

data/props/extractions/{name}

DELETE

GET

POST

data/props/fieldaliases

GET

POST

data/props/fieldaliases/{name}

DELETE

GET

POST

data/props/lookups

GET

POST

data/props/lookups/{name}

DELETE

GET

POST

data/props/sourcetype-rename

GET

POST

data/props/sourcetype-rename/{name}

DELETE

GET

POST

data/transforms/extractions

GET

POST

data/transforms/extractions/{name}

DELETE

GET

POST

Name	Type	Description
description	String	JSON description of the data model.
name	String	Name of the data model.
acceleration	String	Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings. enabled (true or false) earliest_time (time modifier) cron_schedule (cron string) Example acceleration= ' { "enabled": true, "earliest_time": -1mon, "cron_schedule": 0 /12 * * } '
Hunk data model acceleration settings	See description	Use these settings to configure acceleration for Hunk data models. hunk.compression_codec String, case-sensitive. Specifies the compression codec to be used for the accelerated orc or parquet format files. For `parquet` file format, use `snappy` or `gzip`. For `orc` file format, use `snappy` or `zlib`. hunk.dfs_block_size Unsigned integer Specifies the block size in bytes for the compression files. hunk.file_format String, case sensitive. Valid options are `orc` and `parquet` Example acceleration= ' { "hunk.file_format": "orc", "hunk.compression_codec": "snappy" } '

Name	Description
drilldown_search	The search for running this pivot report using drilldown
open_in_search	Equivalent to search parameter, but listed more simply.
pivot_json	JSON specifying a pivot based on the named data model.
pivot_search	A pivot search command based on the named data model.
search	The search string for running the pivot report
tstats_search	The search for running this pivot report using tstats

Name	Description
description	Description of this event type.
disabled	Indicates if the event type is disabled.
eai:appName	The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName	Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority	The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search	Search terms for this event type.
tags	[Deprecated] Tags associated with this event type. Use the tags.conf.spec file to assign tags to groups of events with related field values.

Name	Type	Default	Description
name	String		The name for the event type.
search	String		Search terms for this event type.
description	String		Human-readable description of this event type.
disabled	Boolean	0	If True, disables the event type.
priority	Number	1	Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags	String		[Deprecated] Use `tags.conf.spec` file to assign tags to groups of events with related field values.

Name	Type	Description
value	String	The specific field value on which to bind the tags.
add	String	The tag to attach to this `field_name:value` combination.
delete	String	The tag to remove to this `field_name::value` combination.

Name	Type	Default	Description
add	String		A field:value pair to tag with {tag_name}.
delete	String		A field:value pair to remove from {tag_name}.