Related Answers
This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.
Download topic as PDF
Search endpoint examples
alerts/fired_alerts GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/fired_alerts
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>alerts</title>
<id>https://localhost:8089/services/alerts/fired_alerts</id>
<updated>2011-07-11T19:27:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>-</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/-</id>
<updated>2011-07-11T19:27:22-07:00</updated>
<link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="list"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="triggered_alert_count">0</s:key>
</s:dict>
</content>
</entry>
</feed>
alerts/fired_alerts/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/scheduler__admin__search_aGF2ZV9ldmVudHM_at_1310437740_5d3dfde563194ffd_1310437749
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>alerts</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
<updated>2011-07-11T19:35:25-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
alerts/fired_alerts/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/MyAlert
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>alerts</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
<updated>2012-10-25T09:20:04-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</title>
<id>https://localhost:8089/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</id>
<updated>2012-10-25T09:19:47-07:00</updated>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2012-10-25T09:19:47-07:00</published>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="list"/>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="remove"/>
<link href="/servicesNS/nobody/search/search/jobs/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31" rel="job"/>
<link href="/servicesNS/nobody/search/saved/searches/MyAlert" rel="savedsearch"/>
<content type="text/xml">
<s:dict>
<s:key name="actions"/>
<s:key name="alert_type">real time</s:key>
<s:key name="digest_mode">0</s:key>
<!-- eai:acl elided -->
<s:key name="expiration_time_rendered">2012-10-26 09:19:47 PDT</s:key>
<s:key name="savedsearch_name">MyAlert</s:key>
<s:key name="severity">3</s:key>
<s:key name="sid">rt_scheduler__admin__search__MyAlert_at_1351181001_5.31</s:key>
<s:key name="trigger_time">1351181987</s:key>
<s:key name="trigger_time_rendered">2012-10-25 09:19:47 PDT</s:key>
<s:key name="triggered_alerts">5</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
data/commands GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>commandsconf</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
<s:messages/>
<entry>
<title>bucketdir</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands/bucketdir</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="list"/>
<link href="/servicesNS/nobody/search/data/commands/bucketdir/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/commands/bucketdir/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="changes_colorder">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableheader">1</s:key>
<s:key name="filename">bucketdir.py</s:key>
<s:key name="generates_timeorder">0</s:key>
<s:key name="generating">0</s:key>
<s:key name="maxinputs">50000</s:key>
<s:key name="outputheader">0</s:key>
<s:key name="passauth">0</s:key>
<s:key name="required_fields">*</s:key>
<s:key name="requires_preop">0</s:key>
<s:key name="retainsevents">0</s:key>
<s:key name="streaming">0</s:key>
<s:key name="supports_getinfo">0</s:key>
<s:key name="supports_rawargs">1</s:key>
<s:key name="type">python</s:key>
</s:dict>
</content>
</entry>
</feed>
data/commands/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands/input
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>commandsconf</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
<s:messages/>
<entry>
<title>input</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands/input</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<link href="/servicesNS/nobody/search/data/commands/input" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/input" rel="list"/>
<link href="/servicesNS/nobody/search/data/commands/input/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/commands/input/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="changes_colorder">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableheader">1</s:key>
<s:key name="filename">input.py</s:key>
<s:key name="generates_timeorder">0</s:key>
<s:key name="generating">0</s:key>
<s:key name="maxinputs">50000</s:key>
<s:key name="outputheader">0</s:key>
<s:key name="passauth">1</s:key>
<s:key name="required_fields">*</s:key>
<s:key name="requires_preop">0</s:key>
<s:key name="retainsevents">0</s:key>
<s:key name="streaming">0</s:key>
<s:key name="supports_getinfo">0</s:key>
<s:key name="supports_rawargs">1</s:key>
<s:key name="type">python</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2011-07-13T11:56:35-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Errors in the last 24 hours</title>
<id>https://localhost:8089/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours</id>
<updated>2011-07-13T11:56:35-07:00</updated>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="list"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/disable" rel="disable"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/dispatch" rel="dispatch"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.sendresults"/>
<s:key name="action.email.to"/>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"/>
<s:key name="alert.suppress.period"/>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"/>
<s:key name="alert_condition"/>
<s:key name="alert_threshold"/>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"/>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time">-1d</s:key>
<s:key name="dispatch.latest_time"/>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"/>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"/>
<s:key name="qualifiedSearch">search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"/>
<s:key name="request.ui_dispatch_view"/>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
<s:key name="vsid">*:75qh2fwx</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches -d name=MySavedSearch --data-urlencode search="index=_internal source=*metrics.log"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-12-09T09:10:21-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-12-09T09:10:21-08:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
<s:key name="action.email.auth_username">myusername</s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$
| sendemail "server=$action.email.mailserver{default=localhost}$"
"use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$"
"cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview"></s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">1</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to"></s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"</s:key>
<s:key name="action.populate_lookup.dest"></s:key>
<s:key name="action.populate_lookup.hostname"></s:key>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger:
$name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
</s:key>
<s:key name="action.rss.hostname"></s:key>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$"
"Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$"
maxtime="$action.script.maxtime{default=5m}$"
</s:key>
<s:key name="action.script.filename"></s:key>
<s:key name="action.script.hostname"></s:key>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
</s:key>
<s:key name="action.summary_index.hostname"></s:key>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.fields"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"></s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"></s:key>
<s:key name="dispatch.latest_time"></s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.rt_backfill">0</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"></s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"></s:key>
<s:key name="qualifiedSearch">search index=_internal source=*metrics.log</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">index=_internal source=*metrics.log</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-13T12:09:05-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
saved/searches/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-13T11:57:54-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-13T11:57:54-07:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.auth_password"/>
<s:key name="action.email.auth_username"/>
<s:key name="action.email.bcc"/>
<s:key name="action.email.cc"/>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$
| sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$"
"format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)"
"sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"/>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.preprocess_results"/>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"/>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to"/>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">
copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"
</s:key>
<s:key name="action.populate_lookup.hostname"/>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">
createrss "path=$name$.xml" "name=$name$" "link=$results.url$"
"descr=Alert trigger: $name$, results.count=$results.count$ " "count=30"
"graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
</s:key>
<s:key name="action.rss.hostname"/>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$"
"$results.count$" "$search$" "$search$" "$name$"
"Saved Search [$name$] $counttype$($results.count$)" "$results.url$"
"$deprecated_arg$" "$search_id$"
maxtime="$action.script.maxtime{default=5m}$"
</s:key>
<s:key name="action.script.hostname"/>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command">
<![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
file="$name$_$#random$.stash_new" name="$name$"
marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
</s:key>
<s:key name="action.summary_index.hostname"/>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"/>
<s:key name="alert.suppress.period"/>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"/>
<s:key name="alert_condition"/>
<s:key name="alert_threshold"/>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"/>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"/>
<s:key name="dispatch.latest_time"/>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"/>
<!-- eai:acl elided -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>action.email</s:item>
<s:item>action.email.auth_password</s:item>
<s:item>action.email.auth_username</s:item>
<s:item>action.email.bcc</s:item>
<s:item>action.email.cc</s:item>
<s:item>action.email.command</s:item>
<s:item>action.email.format</s:item>
<s:item>action.email.from</s:item>
<s:item>action.email.hostname</s:item>
<s:item>action.email.inline</s:item>
<s:item>action.email.mailserver</s:item>
<s:item>action.email.maxresults</s:item>
<s:item>action.email.maxtime</s:item>
<s:item>action.email.preprocess_results</s:item>
<s:item>action.email.reportPaperOrientation</s:item>
<s:item>action.email.reportPaperSize</s:item>
<s:item>action.email.reportServerEnabled</s:item>
<s:item>action.email.reportServerURL</s:item>
<s:item>action.email.sendpdf</s:item>
<s:item>action.email.sendresults</s:item>
<s:item>action.email.subject</s:item>
<s:item>action.email.to</s:item>
<s:item>action.email.track_alert</s:item>
<s:item>action.email.ttl</s:item>
<s:item>action.email.use_ssl</s:item>
<s:item>action.email.use_tls</s:item>
<s:item>action.populate_lookup</s:item>
<s:item>action.populate_lookup.command</s:item>
<s:item>action.populate_lookup.hostname</s:item>
<s:item>action.populate_lookup.maxresults</s:item>
<s:item>action.populate_lookup.maxtime</s:item>
<s:item>action.populate_lookup.track_alert</s:item>
<s:item>action.populate_lookup.ttl</s:item>
<s:item>action.rss</s:item>
<s:item>action.rss.command</s:item>
<s:item>action.rss.hostname</s:item>
<s:item>action.rss.maxresults</s:item>
<s:item>action.rss.maxtime</s:item>
<s:item>action.rss.track_alert</s:item>
<s:item>action.rss.ttl</s:item>
<s:item>action.script</s:item>
<s:item>action.script.command</s:item>
<s:item>action.script.hostname</s:item>
<s:item>action.script.maxresults</s:item>
<s:item>action.script.maxtime</s:item>
<s:item>action.script.track_alert</s:item>
<s:item>action.script.ttl</s:item>
<s:item>action.summary_index</s:item>
<s:item>action.summary_index._name</s:item>
<s:item>action.summary_index.command</s:item>
<s:item>action.summary_index.hostname</s:item>
<s:item>action.summary_index.inline</s:item>
<s:item>action.summary_index.maxresults</s:item>
<s:item>action.summary_index.maxtime</s:item>
<s:item>action.summary_index.track_alert</s:item>
<s:item>action.summary_index.ttl</s:item>
<s:item>actions</s:item>
<s:item>alert.digest_mode</s:item>
<s:item>alert.expires</s:item>
<s:item>alert.severity</s:item>
<s:item>alert.suppress</s:item>
<s:item>alert.suppress.period</s:item>
<s:item>alert.track</s:item>
<s:item>alert_comparator</s:item>
<s:item>alert_condition</s:item>
<s:item>alert_threshold</s:item>
<s:item>alert_type</s:item>
<s:item>cron_schedule</s:item>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>dispatch.buckets</s:item>
<s:item>dispatch.earliest_time</s:item>
<s:item>dispatch.latest_time</s:item>
<s:item>dispatch.lookups</s:item>
<s:item>dispatch.max_count</s:item>
<s:item>dispatch.max_time</s:item>
<s:item>dispatch.reduce_freq</s:item>
<s:item>dispatch.spawn_process</s:item>
<s:item>dispatch.time_format</s:item>
<s:item>dispatch.ttl</s:item>
<s:item>displayview</s:item>
<s:item>is_scheduled</s:item>
<s:item>is_visible</s:item>
<s:item>max_concurrent</s:item>
<s:item>next_scheduled_time</s:item>
<s:item>qualifiedSearch</s:item>
<s:item>realtime_schedule</s:item>
<s:item>request.ui_dispatch_app</s:item>
<s:item>request.ui_dispatch_view</s:item>
<s:item>restart_on_searchpeer_add</s:item>
<s:item>run_on_startup</s:item>
<s:item>vsid</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>action\..*</s:item>
<s:item>args\..*</s:item>
<s:item>dispatch\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"/>
<s:key name="qualifiedSearch">search index</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"/>
<s:key name="request.ui_dispatch_view"/>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">index</s:key>
<s:key name="vsid"/>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch -d actions=email -d action.email.to="nobody@example.com, info@example.com" -d search="my search here"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:20:14-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-26T18:20:14-04:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$"
"graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$"
maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">nobody@example.com,info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"</s:key>
<s:key name="action.populate_lookup.hostname"></s:key>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"</s:key>
<s:key name="action.rss.hostname"></s:key>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"</s:key>
<s:key name="action.script.hostname"></s:key>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]></s:key>
<s:key name="action.summary_index.hostname"></s:key>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="actions">email</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"></s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"></s:key>
<s:key name="dispatch.latest_time"></s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.rt_backfill">0</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"></s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"></s:key>
<s:key name="qualifiedSearch">search my seach here</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">my search here</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name}/acknowledge POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MyAlert/acknowledge -X POST
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:31:07-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
saved/searches/{name}/dispatch POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch -d trigger_actions=1
XML Response
<?xml version='1.0' encoding='UTF-8'?> <response><sid>admin__admin__search__MySavedSearch_at_1311797437_d831d980832e3e89</sid></response>
saved/searches/{name}/history GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/history
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:13:20-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</id>
<updated>2011-07-26T18:13:18-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-26T18:13:01-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="isDone">1</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isScheduled">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="ttl">86382</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</id>
<updated>2011-07-26T17:51:23-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-26T17:51:01-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="isDone">1</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isScheduled">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="ttl">85062</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name}/reschedule POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule -d schedule_time=2012-08-15T14:11:01Z
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2012-07-27T11:21:43-07:00</updated>
<generator build="131547" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
saved/searches/{name}/scheduled_times GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2011-12-02T11:12:55-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__dashboard_live</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live</id>
<updated>2011-12-02T11:12:55-08:00</updated>
<link href="/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
<s:key name="action.email.auth_username">myusername</s:key>
. . . elided . . .
<s:key name="action.email.pdfview">dashboard_live</s:key>
. . . elided . . .
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">myusername@example.com</s:key>
. . . elided . . .
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
. . . elided . . .
<s:key name="actions">email</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.fields"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule">*/30 * * * *</s:key>
<s:key name="description">scheduled search for view name=dashboard_live</s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time">1</s:key>
<s:key name="dispatch.latest_time">2</s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
. . . elided . . .
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="is_visible">0</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time">2011-12-02 11:30:00 PST</s:key>
<s:key name="qualifiedSearch"> noop</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="scheduled_times"><s:list><s:item>1322836200</s:item><s:item>1322838000</s:item><s:item>1322839800</s:item><s:item>1322841600</s:item></s:list></s:key>
<s:key name="search">| noop</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name}/suppress GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/suppress
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:22:51-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-26T18:22:51-04:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="expiration">13811</s:key>
<s:key name="suppressed">1</s:key>
<s:key name="suppressionKey">admin;search;MySavedSearch;;</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/scheduled/views
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
<updated>2011-07-27T16:27:55-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView</id>
<updated>2011-07-27T16:27:55-04:00</updated>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults"></s:key>
<s:key name="action.email.to">email@example.com</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="cron_schedule">* * * * *</s:key>
<s:key name="description">scheduled search for view name=MyView</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 16:28:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
<updated>2011-07-27T16:16:02-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
scheduled/views/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T17:12:11-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
<updated>2011-07-27T17:12:11-04:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="cron_schedule">* * * * *</s:key>
<s:key name="description">scheduled search for view name=MyView</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>next_scheduled_time</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>action.email.to</s:item>
<s:item>cron_schedule</s:item>
<s:item>is_scheduled</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list><s:item>action\.email.*</s:item></s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 17:13:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew -d action.email.to="info@example.com" -d cron_schedule="0 * * * *" -d is_scheduled=1 -d description="New description"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T17:59:32-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
<updated>2011-07-27T17:59:32-04:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="cron_schedule">0 * * * *</s:key>
<s:key name="description">New Description</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 18:00:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name}/dispatch POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView/dispatch -d trigger_actions=1
XML Response
<?xml version='1.0' encoding='UTF-8'?> <response><sid>admin__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311805021_c24ff1ea77ad714b</sid></response>
scheduled/views/{name}/history GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew/history
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T16:25:22-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</id>
<updated>2011-07-27T16:25:15-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-27T16:25:15-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name}/reschedule POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard2/reschedule -d schedule_time=2013-02-15T14:11:01Z
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/services/scheduled/views</id>
<updated>2012-10-02T08:48:18-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
scheduled/views/{name}/scheduled_times GET
XML
XML Request
curl -k -u admin:admin https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://wma-mbp15:8089/services/scheduled/views</id>
<updated>2011-12-01T14:40:18-08:00</updated>
<generator version="112383"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__dashboard_live</title>
<id>https://wma-mbp15:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live</id>
<updated>2011-12-01T14:40:18-08:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$ | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$" "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "width_sort_columns=$action.email.width_sort_columns$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]></s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">dashboard_live</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">1</s:key>
<s:key name="action.email.reportServerURL"> </s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">wma@splunk.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.email.width_sort_columns">1</s:key>
<s:key name="cron_schedule">/5 * * * *</s:key>
<s:key name="description">scheduled search for view name=dashboard_live</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-12-01 15:00:00 PST</s:key>
</s:dict>
</content>
</entry>
</feed>
search/jobs GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs --get -d search="eventCount>100"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>jobs</title>
<id>https://localhost:8089/services/search/jobs</id>
<updated>2011-06-21T10:12:22-07:00</updated>
<generator version="100492"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>8</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput
| chart sum(kb) by series | sort -sum(kb) | head 5</title>
<id>https://localhost:8089/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</id>
<updated>2011-06-21T10:10:31.000-07:00</updated>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4" rel="alternate"/>
<published>2011-06-21T10:10:23.000-07:00</published>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/search.log" rel="log"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/events" rel="events"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results" rel="results"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/timeline" rel="timeline"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/summary" rel="summary"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/control" rel="control"/>
<author>
<name>splunk-system-user</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="delegate">scheduler</s:key>
<s:key name="diskUsage">73728</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">2011-06-20T10:10:00.000-07:00</s:key>
<s:key name="eventAvailableCount">0</s:key>
<s:key name="eventCount">1363</s:key>
<s:key name="eventFieldCount">0</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">1</s:key>
<s:key name="eventSearch">search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput </s:key>
<s:key name="eventSorting">none</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords">group::per_sourcetype_thruput index::_internal source::*/metrics.log* source::*\metrics.log*</s:key>
<s:key name="label">Top five sourcetypes</s:key>
<s:key name="latestTime">2011-06-21T10:10:00.000-07:00</s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="priority">5</s:key>
<s:key name="remoteSearch">litsearch index=_internal ( source=*/metrics.log* OR source=*\\metrics.log* )
group=per_sourcetype_thruput | addinfo type=count label=prereport_events
| fields keepcolorder=t "kb" "prestats_reserved_*" "psrsvd_*" "series"
| convert num("kb") | prestats sum(kb) AS "sum(kb)" by series</s:key>
<s:key name="reportSearch">chart sum(kb) by series | sort -sum(kb) | head 5</s:key>
<s:key name="resultCount">4</s:key>
<s:key name="resultIsStreaming">0</s:key>
<s:key name="resultPreviewCount">4</s:key>
<s:key name="runDuration">0.259000</s:key>
<s:key name="scanCount">1363</s:key>
<s:key name="searchEarliestTime">1308589800.000000000</s:key>
<s:key name="searchLatestTime">1308676200.000000000</s:key>
<s:key name="sid">scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">489</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.addinfo">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.chart">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">100000</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.convert">
<s:dict>
<s:key name="duration_secs">0.006</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.fields">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.head">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.presort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.prestats">
<s:dict>
<s:key name="duration_secs">0.014</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">12</s:key>
</s:dict>
</s:key>
<s:key name="command.search">
<s:dict>
<s:key name="duration_secs">0.058</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.fieldalias">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">3</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.filter">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.index">
<s:dict>
<s:key name="duration_secs">0.010</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
<s:key name="command.search.kv">
<s:dict>
<s:key name="duration_secs">0.011</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.lookups">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">3</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.rawdata">
<s:dict>
<s:key name="duration_secs">0.034</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.tags">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.typer">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.sort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createProviderQueue">
<s:dict>
<s:key name="duration_secs">0.067</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate">
<s:dict>
<s:key name="duration_secs">0.038</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.chart">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.head">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.search">
<s:dict>
<s:key name="duration_secs">0.037</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.sort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.fetch">
<s:dict>
<s:key name="duration_secs">0.126</s:key>
<s:key name="invocations">6</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.stream.local">
<s:dict>
<s:key name="duration_secs">0.070</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="ui_dispatch_app"></s:key>
<s:key name="ui_dispatch_view"></s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="modifiable">true</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">search</s:key>
<s:key name="can_write">true</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list>
<s:item>mbp15.splunk.com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
search/jobs POST
XML
XML Request
- Basic example:
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300
- Create custom property example:
curl -u admin:changeme -k https://localhost:8089/services/search/jobs
-d search="search *"
-d custom.foobar="myCustomPropA"
-d custom.foobaz="myCustomPropB"
Use the search/jobs GET request to view the custom properties.
- Create indexed real-time search with five second disk sync delay example:
curl -k -u admin:changed https://localhost:8089/services/search/jobs
-d search="search index=_* *"
-d search_mode="realtime"
-d indexedRealtime="1"
-d indexedRealtimeOffset="300"
XML Response
<response><sid>mysearch_02151949</sid></response>
search/jobs/export POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 1"
XML Response
<results preview='0'> <meta> <fieldOrder> <field>_cd</field> <field>_indextime</field> <field>_raw</field> <field>_serial</field> <field>_si</field> <field>_sourcetype</field> <field>_subsecond</field> <field>_time</field> <field>host</field> <field>index</field> <field>linecount</field> <field>source</field> <field>sourcetype</field> <field>splunk_server</field> </fieldOrder> </meta> <messages> <msg type="DEBUG">base lispy: [ AND index::_internal ]</msg> <msg type="DEBUG">search context: user="admin", app="search", bs-pathname="/Applications/splunk/etc"</msg> <msg type="INFO">Your timerange was substituted based on your search string</msg> </messages> <result offset='0'> <field k='_cd'> <value><text>50:59480</text></value> </field> <field k='_indextime'> <value><text>1333739623</text></value> </field> <field k='_raw'><v xml:space='preserve' trunc='0'>127.0.0.1 - admin [06/Apr/2012:12:13:42.943 -0700] "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 200 2063 - - - 317ms</v></field> <field k='_serial'> <value><text>0</text></value> </field> <field k='_si'> <value><text>mbp15.splunk.com</text></value> <value><text>_internal</text></value> </field> <field k='_sourcetype'> <value><text>splunkd_access</text></value> </field> <field k='_subsecond'> <value><text>.943</text></value> </field> <field k='_time'> <value><text>2012-04-06 12:13:42.943 PDT</text></value> </field> <field k='host'> <value><text>mbp15.splunk.com</text></value> </field> <field k='index'> <value h='1'><text>_internal</text></value> </field> <field k='linecount'> <value><text>1</text></value> </field> <field k='source'> <value><text>/Applications/splunk/var/log/splunk/splunkd_access.log</text></value> </field> <field k='sourcetype'> <value><text>splunkd_access</text></value> </field> <field k='splunk_server'> <value><text>mbp15.splunk.com</text></value> </field> </result> </results>
search/jobs/{search_id} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response
<response><messages><msg type='INFO'>Search job cancelled.</msg></messages></response
search/jobs/{search_id} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response
<entry
xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>search index</title>
<id>https://localhost:8089/services/search/jobs/mysearch_02151949</id>
<updated>2011-07-07T20:49:58.000-07:00</updated>
<link href="/services/search/jobs/mysearch_02151949" rel="alternate"/>
<published>2011-07-07T20:49:57.000-07:00</published>
<link href="/services/search/jobs/mysearch_02151949/search.log" rel="search.log"/>
<link href="/services/search/jobs/mysearch_02151949/events" rel="events"/>
<link href="/services/search/jobs/mysearch_02151949/results" rel="results"/>
<link href="/services/search/jobs/mysearch_02151949/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/mysearch_02151949/timeline" rel="timeline"/>
<link href="/services/search/jobs/mysearch_02151949/summary" rel="summary"/>
<link href="/services/search/jobs/mysearch_02151949/control" rel="control"/>
<author>
<name>admin</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="delegate"></s:key>
<s:key name="diskUsage">2174976</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">2011-07-07T11:18:08.000-07:00</s:key>
<s:key name="eventAvailableCount">287</s:key>
<s:key name="eventCount">287</s:key>
<s:key name="eventFieldCount">6</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">0</s:key>
<s:key name="eventSearch">search index</s:key>
<s:key name="eventSorting">desc</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">0</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords">index</s:key>
<s:key name="label"></s:key>
<s:key name="latestTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="priority">5</s:key>
<s:key name="remoteSearch">litsearch index | fields keepcolorder=t "host" "index" "linecount" "source" "sourcetype" "splunk_server"</s:key>
<s:key name="reportSearch"></s:key>
<s:key name="resultCount">287</s:key>
<s:key name="resultIsStreaming">1</s:key>
<s:key name="resultPreviewCount">287</s:key>
<s:key name="runDuration">1.004000</s:key>
<s:key name="scanCount">287</s:key>
<s:key name="sid">mysearch_02151949</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">516</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.fields">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search">
<s:dict>
<s:key name="duration_secs">0.089</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.fieldalias">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.index">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="command.search.kv">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="command.search.lookups">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.rawdata">
<s:dict>
<s:key name="duration_secs">0.083</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="command.search.tags">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.typer">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createProviderQueue">
<s:dict>
<s:key name="duration_secs">0.059</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate">
<s:dict>
<s:key name="duration_secs">0.037</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.search">
<s:dict>
<s:key name="duration_secs">0.036</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.fetch">
<s:dict>
<s:key name="duration_secs">0.092</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.readEventsInResults">
<s:dict>
<s:key name="duration_secs">0.110</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.stream.local">
<s:dict>
<s:key name="duration_secs">0.089</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.timeline">
<s:dict>
<s:key name="duration_secs">0.359</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="id">mysearch_02151949</s:key>
<s:key name="search">search index</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">admin</s:key>
<s:key name="modifiable">true</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">search</s:key>
<s:key name="can_write">true</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list>
<s:item>mbp15.splunk.com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
search/jobs/{search_id} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/{search_id} -d custom.*=UNDONE_curl_param
XML Response
TBD
search/jobs/{search_id}/control POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/control -d action=pause
XML Response
<response><messages><msg type='INFO'>Search job paused.</msg></messages></response>
search/jobs/{search_id}/events GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/1312313809.20/events --get -d f=arch -d f=build -d f=connectionType -d r -d count=3
XML Response
<results preview='0'> <meta> <fieldOrder> <field>arch</field> <field>build</field> <field>connectionType</field> <field>date_hour</field> </fieldOrder> </meta> <result offset='0'> <field k='arch'> <value><text>i686</text></value> </field> <field k='build'> <value><text>98164</text></value> </field> <field k='connectionType'> <value><text>cooked</text></value> </field> <field k='date_hour'> <value><text>19</text></value> </field> </result> <result offset='1'> <field k='arch'> <value><text>i686</text></value> </field> <field k='build'> <value><text>98164</text></value> </field> <field k='connectionType'> <value><text>cooked</text></value> </field> <field k='date_hour'> <value><text>19</text></value> </field> </result> <result offset='2'> <field k='arch'> <value><text>i686</text></value> </field> <field k='build'> <value><text>98164</text></value> </field> <field k='connectionType'> <value><text>cooked</text></value> </field> <field k='date_hour'> <value><text>19</text></value> </field> </result> </results>
search/jobs/{search_id}/results GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response
{ "init_offset" : 0,
"messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
"type" : "DEBUG"
},
{ "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
"type" : "DEBUG"
}
],
"preview" : false,
"results" : [ { "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
}
]
}
search/jobs/{search_id}/results_preview GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results_preview --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response
{ "init_offset" : 0,
"messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
"type" : "DEBUG"
},
{ "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
"type" : "DEBUG"
}
],
"preview" : false,
"results" : [ { "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
}
]
}
search/jobs/{search_id}/search.log GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/search.log
XML Response
TBD
Raw Response
07-07-2011 21:36:22.066 INFO ApplicationManager - Found application directory: /Applications/splunk4.3/etc/apps/user-prefs 07-07-2011 21:36:22.066 INFO ApplicationManager - Initialized at least 12 applications: /Applications/splunk4.3/etc/apps 07-07-2011 21:36:22.066 INFO ApplicationManager - Found 5 application(s) that might have global exports 07-07-2011 21:36:22.073 INFO dispatchRunner - initing LicenseMgr in search process: nonPro=0 07-07-2011 21:36:22.074 INFO LicenseMgr - Initing LicenseMgr 07-07-2011 21:36:22.075 INFO ServerConfig - My GUID is "1F3A34AE-75DA-4680-B184-5BF309843919". 07-07-2011 21:36:22.075 INFO ServerConfig - My hostname is "ombroso-mbp15.local". 07-07-2011 21:36:22.076 INFO SSLCommon - added zlib compression 07-07-2011 21:36:22.077 INFO ServerConfig - Default output queue for file-based input: parsingQueue. 07-07-2011 21:36:22.077 INFO LMConfig - serverName=mbp15.splunk.com guid=1F3A34AE-75DA-4680-B184-5BF309843919 07-07-2011 21:36:22.077 INFO LMConfig - connection_timeout=30 07-07-2011 21:36:22.077 INFO LMConfig - send_timeout=30 07-07-2011 21:36:22.077 INFO LMConfig - receive_timeout=30 . . . elided . . .
search/jobs/{search_id}/summary GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/summary --get -d f=source -d f=sourcetype -d f=host -d top_count=5
XML Response
<?xml version='1.0' encoding='UTF-8'?> <summary earliest_time='1969-12-31T16:00:00.000-08:00' latest_time='1969-12-31T16:00:00.464-08:00' duration='0' c='150375'> <field k='host' c='150375' nc='0' dc='1' exact='1'> <modes> <value c='150375' exact='1'><text>tiny</text></value> </modes> </field> <field k='source' c='150375' nc='0' dc='13' exact='1'> <modes> <value c='136107' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/metrics.log</text></value> <value c='6682' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd_access.log</text></value> <value c='4656' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/scheduler.log</text></value> <value c='1714' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/web_access.log</text></value> <value c='937' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd.log</text></value> </modes> </field> <field k='sourcetype' c='150375' nc='0' dc='10' exact='1'> <modes> <value c='137053' exact='1'><text>splunkd</text></value> <value c='6682' exact='1'><text>splunkd_access</text></value> <value c='4656' exact='1'><text>scheduler</text></value> <value c='1714' exact='1'><text>splunk_web_access</text></value> <value c='193' exact='1'><text>splunk_web_service</text></value> </modes> </field> </summary>
search/jobs/{search_id}/timeline GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/timeline --get -d time_format="%c"
XML Response
<timeline c='150397' cursor='1312308000'> <bucket c='7741' a='7741' t='1312308000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 11:00:00 2011</bucket> <bucket c='7894' a='7894' t='1312311600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 12:00:00 2011</bucket> <bucket c='7406' a='7406' t='1312315200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 13:00:00 2011</bucket> <bucket c='6097' a='6097' t='1312318800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 14:00:00 2011</bucket> <bucket c='6072' a='6072' t='1312322400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 15:00:00 2011</bucket> <bucket c='6002' a='6002' t='1312326000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 16:00:00 2011</bucket> <bucket c='6004' a='6004' t='1312329600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 17:00:00 2011</bucket> <bucket c='5994' a='5994' t='1312333200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 18:00:00 2011</bucket> <bucket c='6037' a='6037' t='1312336800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 19:00:00 2011</bucket> <bucket c='6021' a='6021' t='1312340400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 20:00:00 2011</bucket> <bucket c='6051' a='6051' t='1312344000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 21:00:00 2011</bucket> <bucket c='6006' a='6006' t='1312347600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 22:00:00 2011</bucket> <bucket c='6041' a='6041' t='1312351200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 23:00:00 2011</bucket> <bucket c='5993' a='5993' t='1312354800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 00:00:00 2011</bucket> <bucket c='6040' a='6040' t='1312358400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 01:00:00 2011</bucket> <bucket c='5993' a='5993' t='1312362000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 02:00:00 2011</bucket> <bucket c='6061' a='6061' t='1312365600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 03:00:00 2011</bucket> <bucket c='5995' a='5995' t='1312369200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 04:00:00 2011</bucket> <bucket c='5988' a='5988' t='1312372800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 05:00:00 2011</bucket> <bucket c='6042' a='6042' t='1312376400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 06:00:00 2011</bucket> <bucket c='5998' a='5998' t='1312380000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 07:00:00 2011</bucket> <bucket c='6055' a='6055' t='1312383600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 08:00:00 2011</bucket> <bucket c='5997' a='5997' t='1312387200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 09:00:00 2011</bucket> <bucket c='5994' a='5994' t='1312390800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 10:00:00 2011</bucket> <bucket c='875' a='875' t='1312394400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 11:00:00 2011</bucket> </timeline>
search/parser GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/parser --get -d output_mode=json -d q="search index=os sourcetype=cpu"
JSON Response
{
"remoteSearch": "litsearch | fields keepcolorder=t \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"remoteTimeOrdered": true,
"eventsSearch": "search ",
"eventsTimeOrdered": true,
"eventsStreaming": true,
"reportsSearch": "",
"commands": [
{
"command": "search",
"rawargs": "",
"pipeline": "streaming",
"args": {
"search": [""],
}
"isGenerating": true,
"streamType": "SP_STREAM",
},
]
}
search/scheduler GET
Request
curl -k -u admin:pass https://localhost:8089/services/search/scheduler
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler</id>
<updated>2015-06-09T13:23:38-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/scheduler/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler/scheduler</id>
<updated>2015-06-09T13:23:38-07:00</updated>
<link href="/services/search/scheduler/scheduler" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/scheduler/scheduler" rel="list"/>
<link href="/services/search/scheduler/scheduler" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="saved_searches_disabled">0</s:key>
</s:dict>
</content>
</entry>
</feed>
search/scheduler/status POST
XML
Request
curl -ku admin:pass -XPOST https://localhost:8089/services/search/scheduler/status -d disabled=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler</id>
<updated>2015-06-09T13:40:21-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/scheduler/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
search/timeparser GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/timeparser --get -d time=-12h -d time=-24h
XML Response
<response> <dict> <key name="-12h">2011-07-06T21:54:23.000-07:00</key> <key name="-24h">2011-07-06T09:54:23.000-07:00</key> </dict> </response>
search/typeahead GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/typeahead --get -d count=3 -d prefix=source -d output_mode=json
JSON Response
{ "results" : [ { "content" : "source=\"sampledata.zip:./apache1.splunk.com/access_combined.log\"",
"count" : 9199,
"operator" : false
},
{ "content" : "source=\"sampledata.zip:./apache2.splunk.com/access_combined.log\"",
"count" : 27705,
"operator" : false
},
{ "content" : "source=\"sampledata.zip:./apache3.splunk.com/access_combined.log\"",
"count" : 27888,
"operator" : false
}
]
}
|
PREVIOUS Search endpoint descriptions |
NEXT System endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!