Related Answers
Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.
Download topic as PDF
Search endpoint examples
alerts/fired_alerts GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/fired_alerts
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>alerts</title>
<id>https://localhost:8089/services/alerts/fired_alerts</id>
<updated>2011-07-11T19:27:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>-</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/-</id>
<updated>2011-07-11T19:27:22-07:00</updated>
<link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="list"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="triggered_alert_count">0</s:key>
</s:dict>
</content>
</entry>
</feed>
alerts/fired_alerts/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/scheduler__admin__search_aGF2ZV9ldmVudHM_at_1310437740_5d3dfde563194ffd_1310437749
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>alerts</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
<updated>2011-07-11T19:35:25-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
alerts/fired_alerts/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/MyAlert
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>alerts</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
<updated>2012-10-25T09:20:04-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</title>
<id>https://localhost:8089/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</id>
<updated>2012-10-25T09:19:47-07:00</updated>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2012-10-25T09:19:47-07:00</published>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="list"/>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="remove"/>
<link href="/servicesNS/nobody/search/search/jobs/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31" rel="job"/>
<link href="/servicesNS/nobody/search/saved/searches/MyAlert" rel="savedsearch"/>
<content type="text/xml">
<s:dict>
<s:key name="actions"/>
<s:key name="alert_type">real time</s:key>
<s:key name="digest_mode">0</s:key>
<!-- eai:acl elided -->
<s:key name="expiration_time_rendered">2012-10-26 09:19:47 PDT</s:key>
<s:key name="savedsearch_name">MyAlert</s:key>
<s:key name="severity">3</s:key>
<s:key name="sid">rt_scheduler__admin__search__MyAlert_at_1351181001_5.31</s:key>
<s:key name="trigger_time">1351181987</s:key>
<s:key name="trigger_time_rendered">2012-10-25 09:19:47 PDT</s:key>
<s:key name="triggered_alerts">5</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
data/commands GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>commandsconf</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
<s:messages/>
<entry>
<title>bucketdir</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands/bucketdir</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="list"/>
<link href="/servicesNS/nobody/search/data/commands/bucketdir/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/commands/bucketdir/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="changes_colorder">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableheader">1</s:key>
<s:key name="filename">bucketdir.py</s:key>
<s:key name="generates_timeorder">0</s:key>
<s:key name="generating">0</s:key>
<s:key name="maxinputs">50000</s:key>
<s:key name="outputheader">0</s:key>
<s:key name="passauth">0</s:key>
<s:key name="required_fields">*</s:key>
<s:key name="requires_preop">0</s:key>
<s:key name="retainsevents">0</s:key>
<s:key name="streaming">0</s:key>
<s:key name="supports_getinfo">0</s:key>
<s:key name="supports_rawargs">1</s:key>
<s:key name="type">python</s:key>
</s:dict>
</content>
</entry>
</feed>
data/commands/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands/input
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>commandsconf</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
<s:messages/>
<entry>
<title>input</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands/input</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<link href="/servicesNS/nobody/search/data/commands/input" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/input" rel="list"/>
<link href="/servicesNS/nobody/search/data/commands/input/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/commands/input/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="changes_colorder">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableheader">1</s:key>
<s:key name="filename">input.py</s:key>
<s:key name="generates_timeorder">0</s:key>
<s:key name="generating">0</s:key>
<s:key name="maxinputs">50000</s:key>
<s:key name="outputheader">0</s:key>
<s:key name="passauth">1</s:key>
<s:key name="required_fields">*</s:key>
<s:key name="requires_preop">0</s:key>
<s:key name="retainsevents">0</s:key>
<s:key name="streaming">0</s:key>
<s:key name="supports_getinfo">0</s:key>
<s:key name="supports_rawargs">1</s:key>
<s:key name="type">python</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2011-07-13T11:56:35-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Errors in the last 24 hours</title>
<id>https://localhost:8089/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours</id>
<updated>2011-07-13T11:56:35-07:00</updated>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="list"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/disable" rel="disable"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/dispatch" rel="dispatch"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.sendresults"/>
<s:key name="action.email.to"/>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"/>
<s:key name="alert.suppress.period"/>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"/>
<s:key name="alert_condition"/>
<s:key name="alert_threshold"/>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"/>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time">-1d</s:key>
<s:key name="dispatch.latest_time"/>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"/>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"/>
<s:key name="qualifiedSearch">search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"/>
<s:key name="request.ui_dispatch_view"/>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
<s:key name="vsid">*:75qh2fwx</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches -d name=MySavedSearch --data-urlencode search="index=_internal source=*metrics.log"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-12-09T09:10:21-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-12-09T09:10:21-08:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
<s:key name="action.email.auth_username">myusername</s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$
| sendemail "server=$action.email.mailserver{default=localhost}$"
"use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$"
"cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview"></s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">1</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to"></s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"</s:key>
<s:key name="action.populate_lookup.dest"></s:key>
<s:key name="action.populate_lookup.hostname"></s:key>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger:
$name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
</s:key>
<s:key name="action.rss.hostname"></s:key>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$"
"Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$"
maxtime="$action.script.maxtime{default=5m}$"
</s:key>
<s:key name="action.script.filename"></s:key>
<s:key name="action.script.hostname"></s:key>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
</s:key>
<s:key name="action.summary_index.hostname"></s:key>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.fields"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"></s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"></s:key>
<s:key name="dispatch.latest_time"></s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.rt_backfill">0</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"></s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"></s:key>
<s:key name="qualifiedSearch">search index=_internal source=*metrics.log</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">index=_internal source=*metrics.log</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-13T12:09:05-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
saved/searches/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-13T11:57:54-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-13T11:57:54-07:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.auth_password"/>
<s:key name="action.email.auth_username"/>
<s:key name="action.email.bcc"/>
<s:key name="action.email.cc"/>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$
| sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$"
"format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)"
"sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"/>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.preprocess_results"/>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"/>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to"/>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">
copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"
</s:key>
<s:key name="action.populate_lookup.hostname"/>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">
createrss "path=$name$.xml" "name=$name$" "link=$results.url$"
"descr=Alert trigger: $name$, results.count=$results.count$ " "count=30"
"graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
</s:key>
<s:key name="action.rss.hostname"/>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$"
"$results.count$" "$search$" "$search$" "$name$"
"Saved Search [$name$] $counttype$($results.count$)" "$results.url$"
"$deprecated_arg$" "$search_id$"
maxtime="$action.script.maxtime{default=5m}$"
</s:key>
<s:key name="action.script.hostname"/>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command">
<![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
file="$name$_$#random$.stash_new" name="$name$"
marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
</s:key>
<s:key name="action.summary_index.hostname"/>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"/>
<s:key name="alert.suppress.period"/>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"/>
<s:key name="alert_condition"/>
<s:key name="alert_threshold"/>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"/>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"/>
<s:key name="dispatch.latest_time"/>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"/>
<!-- eai:acl elided -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>action.email</s:item>
<s:item>action.email.auth_password</s:item>
<s:item>action.email.auth_username</s:item>
<s:item>action.email.bcc</s:item>
<s:item>action.email.cc</s:item>
<s:item>action.email.command</s:item>
<s:item>action.email.format</s:item>
<s:item>action.email.from</s:item>
<s:item>action.email.hostname</s:item>
<s:item>action.email.inline</s:item>
<s:item>action.email.mailserver</s:item>
<s:item>action.email.maxresults</s:item>
<s:item>action.email.maxtime</s:item>
<s:item>action.email.preprocess_results</s:item>
<s:item>action.email.reportPaperOrientation</s:item>
<s:item>action.email.reportPaperSize</s:item>
<s:item>action.email.reportServerEnabled</s:item>
<s:item>action.email.reportServerURL</s:item>
<s:item>action.email.sendpdf</s:item>
<s:item>action.email.sendresults</s:item>
<s:item>action.email.subject</s:item>
<s:item>action.email.to</s:item>
<s:item>action.email.track_alert</s:item>
<s:item>action.email.ttl</s:item>
<s:item>action.email.use_ssl</s:item>
<s:item>action.email.use_tls</s:item>
<s:item>action.populate_lookup</s:item>
<s:item>action.populate_lookup.command</s:item>
<s:item>action.populate_lookup.hostname</s:item>
<s:item>action.populate_lookup.maxresults</s:item>
<s:item>action.populate_lookup.maxtime</s:item>
<s:item>action.populate_lookup.track_alert</s:item>
<s:item>action.populate_lookup.ttl</s:item>
<s:item>action.rss</s:item>
<s:item>action.rss.command</s:item>
<s:item>action.rss.hostname</s:item>
<s:item>action.rss.maxresults</s:item>
<s:item>action.rss.maxtime</s:item>
<s:item>action.rss.track_alert</s:item>
<s:item>action.rss.ttl</s:item>
<s:item>action.script</s:item>
<s:item>action.script.command</s:item>
<s:item>action.script.hostname</s:item>
<s:item>action.script.maxresults</s:item>
<s:item>action.script.maxtime</s:item>
<s:item>action.script.track_alert</s:item>
<s:item>action.script.ttl</s:item>
<s:item>action.summary_index</s:item>
<s:item>action.summary_index._name</s:item>
<s:item>action.summary_index.command</s:item>
<s:item>action.summary_index.hostname</s:item>
<s:item>action.summary_index.inline</s:item>
<s:item>action.summary_index.maxresults</s:item>
<s:item>action.summary_index.maxtime</s:item>
<s:item>action.summary_index.track_alert</s:item>
<s:item>action.summary_index.ttl</s:item>
<s:item>actions</s:item>
<s:item>alert.digest_mode</s:item>
<s:item>alert.expires</s:item>
<s:item>alert.severity</s:item>
<s:item>alert.suppress</s:item>
<s:item>alert.suppress.period</s:item>
<s:item>alert.track</s:item>
<s:item>alert_comparator</s:item>
<s:item>alert_condition</s:item>
<s:item>alert_threshold</s:item>
<s:item>alert_type</s:item>
<s:item>cron_schedule</s:item>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>dispatch.buckets</s:item>
<s:item>dispatch.earliest_time</s:item>
<s:item>dispatch.latest_time</s:item>
<s:item>dispatch.lookups</s:item>
<s:item>dispatch.max_count</s:item>
<s:item>dispatch.max_time</s:item>
<s:item>dispatch.reduce_freq</s:item>
<s:item>dispatch.spawn_process</s:item>
<s:item>dispatch.time_format</s:item>
<s:item>dispatch.ttl</s:item>
<s:item>displayview</s:item>
<s:item>is_scheduled</s:item>
<s:item>is_visible</s:item>
<s:item>max_concurrent</s:item>
<s:item>next_scheduled_time</s:item>
<s:item>qualifiedSearch</s:item>
<s:item>realtime_schedule</s:item>
<s:item>request.ui_dispatch_app</s:item>
<s:item>request.ui_dispatch_view</s:item>
<s:item>restart_on_searchpeer_add</s:item>
<s:item>run_on_startup</s:item>
<s:item>vsid</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>action\..*</s:item>
<s:item>args\..*</s:item>
<s:item>dispatch\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"/>
<s:key name="qualifiedSearch">search index</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"/>
<s:key name="request.ui_dispatch_view"/>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">index</s:key>
<s:key name="vsid"/>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch -d actions=email -d action.email.to="nobody@example.com, info@example.com" -d search="my search here"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:20:14-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-26T18:20:14-04:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$"
"graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$"
maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">nobody@example.com,info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"</s:key>
<s:key name="action.populate_lookup.hostname"></s:key>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"</s:key>
<s:key name="action.rss.hostname"></s:key>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"</s:key>
<s:key name="action.script.hostname"></s:key>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]></s:key>
<s:key name="action.summary_index.hostname"></s:key>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="actions">email</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"></s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"></s:key>
<s:key name="dispatch.latest_time"></s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.rt_backfill">0</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"></s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"></s:key>
<s:key name="qualifiedSearch">search my seach here</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">my search here</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name}/acknowledge POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MyAlert/acknowledge -X POST
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:31:07-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
saved/searches/{name}/dispatch POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch -d trigger_actions=1
XML Response
<?xml version='1.0' encoding='UTF-8'?> <response><sid>admin__admin__search__MySavedSearch_at_1311797437_d831d980832e3e89</sid></response>
saved/searches/{name}/history GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/history
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:13:20-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</id>
<updated>2011-07-26T18:13:18-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-26T18:13:01-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="isDone">1</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isScheduled">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="ttl">86382</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</id>
<updated>2011-07-26T17:51:23-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-26T17:51:01-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="isDone">1</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isScheduled">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="ttl">85062</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name}/reschedule POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule -d schedule_time=2012-08-15T14:11:01Z
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2012-07-27T11:21:43-07:00</updated>
<generator build="131547" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
saved/searches/{name}/scheduled_times GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2011-12-02T11:12:55-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__dashboard_live</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live</id>
<updated>2011-12-02T11:12:55-08:00</updated>
<link href="/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
<s:key name="action.email.auth_username">myusername</s:key>
. . . elided . . .
<s:key name="action.email.pdfview">dashboard_live</s:key>
. . . elided . . .
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">myusername@example.com</s:key>
. . . elided . . .
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
. . . elided . . .
<s:key name="actions">email</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.fields"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule">*/30 * * * *</s:key>
<s:key name="description">scheduled search for view name=dashboard_live</s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time">1</s:key>
<s:key name="dispatch.latest_time">2</s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
. . . elided . . .
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="is_visible">0</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time">2011-12-02 11:30:00 PST</s:key>
<s:key name="qualifiedSearch"> noop</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="scheduled_times"><s:list><s:item>1322836200</s:item><s:item>1322838000</s:item><s:item>1322839800</s:item><s:item>1322841600</s:item></s:list></s:key>
<s:key name="search">| noop</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
saved/searches/{name}/suppress GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/suppress
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:22:51-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-26T18:22:51-04:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="expiration">13811</s:key>
<s:key name="suppressed">1</s:key>
<s:key name="suppressionKey">admin;search;MySavedSearch;;</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/scheduled/views
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
<updated>2011-07-27T16:27:55-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView</id>
<updated>2011-07-27T16:27:55-04:00</updated>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults"></s:key>
<s:key name="action.email.to">email@example.com</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="cron_schedule">* * * * *</s:key>
<s:key name="description">scheduled search for view name=MyView</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 16:28:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
<updated>2011-07-27T16:16:02-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
scheduled/views/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T17:12:11-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
<updated>2011-07-27T17:12:11-04:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="cron_schedule">* * * * *</s:key>
<s:key name="description">scheduled search for view name=MyView</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>next_scheduled_time</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>action.email.to</s:item>
<s:item>cron_schedule</s:item>
<s:item>is_scheduled</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list><s:item>action\.email.*</s:item></s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 17:13:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew -d action.email.to="info@example.com" -d cron_schedule="0 * * * *" -d is_scheduled=1 -d description="New description"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T17:59:32-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
<updated>2011-07-27T17:59:32-04:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="cron_schedule">0 * * * *</s:key>
<s:key name="description">New Description</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 18:00:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name}/dispatch POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView/dispatch -d trigger_actions=1
XML Response
<?xml version='1.0' encoding='UTF-8'?> <response><sid>admin__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311805021_c24ff1ea77ad714b</sid></response>
scheduled/views/{name}/history GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew/history
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T16:25:22-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</id>
<updated>2011-07-27T16:25:15-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-27T16:25:15-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
</s:dict>
</content>
</entry>
</feed>
scheduled/views/{name}/reschedule POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard2/reschedule -d schedule_time=2013-02-15T14:11:01Z
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/services/scheduled/views</id>
<updated>2012-10-02T08:48:18-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
scheduled/views/{name}/scheduled_times GET
XML
XML Request
curl -k -u admin:admin https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://wma-mbp15:8089/services/scheduled/views</id>
<updated>2011-12-01T14:40:18-08:00</updated>
<generator version="112383"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__dashboard_live</title>
<id>https://wma-mbp15:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live</id>
<updated>2011-12-01T14:40:18-08:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$ | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$" "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "width_sort_columns=$action.email.width_sort_columns$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]></s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">dashboard_live</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">1</s:key>
<s:key name="action.email.reportServerURL"> </s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">wma@splunk.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.email.width_sort_columns">1</s:key>
<s:key name="cron_schedule">/5 * * * *</s:key>
<s:key name="description">scheduled search for view name=dashboard_live</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-12-01 15:00:00 PST</s:key>
</s:dict>
</content>
</entry>
</feed>
search/jobs GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs --get -d search="eventCount>100"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>jobs</title>
<id>https://localhost:8089/services/search/jobs</id>
<updated>2011-06-21T10:12:22-07:00</updated>
<generator version="100492"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>8</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput
| chart sum(kb) by series | sort -sum(kb) | head 5</title>
<id>https://localhost:8089/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</id>
<updated>2011-06-21T10:10:31.000-07:00</updated>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4" rel="alternate"/>
<published>2011-06-21T10:10:23.000-07:00</published>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/search.log" rel="log"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/events" rel="events"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results" rel="results"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/timeline" rel="timeline"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/summary" rel="summary"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/control" rel="control"/>
<author>
<name>splunk-system-user</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="delegate">scheduler</s:key>
<s:key name="diskUsage">73728</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">2011-06-20T10:10:00.000-07:00</s:key>
<s:key name="eventAvailableCount">0</s:key>
<s:key name="eventCount">1363</s:key>
<s:key name="eventFieldCount">0</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">1</s:key>
<s:key name="eventSearch">search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput </s:key>
<s:key name="eventSorting">none</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords">group::per_sourcetype_thruput index::_internal source::*/metrics.log* source::*\metrics.log*</s:key>
<s:key name="label">Top five sourcetypes</s:key>
<s:key name="latestTime">2011-06-21T10:10:00.000-07:00</s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="priority">5</s:key>
<s:key name="remoteSearch">litsearch index=_internal ( source=*/metrics.log* OR source=*\\metrics.log* )
group=per_sourcetype_thruput | addinfo type=count label=prereport_events
| fields keepcolorder=t "kb" "prestats_reserved_*" "psrsvd_*" "series"
| convert num("kb") | prestats sum(kb) AS "sum(kb)" by series</s:key>
<s:key name="reportSearch">chart sum(kb) by series | sort -sum(kb) | head 5</s:key>
<s:key name="resultCount">4</s:key>
<s:key name="resultIsStreaming">0</s:key>
<s:key name="resultPreviewCount">4</s:key>
<s:key name="runDuration">0.259000</s:key>
<s:key name="scanCount">1363</s:key>
<s:key name="searchEarliestTime">1308589800.000000000</s:key>
<s:key name="searchLatestTime">1308676200.000000000</s:key>
<s:key name="sid">scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">489</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.addinfo">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.chart">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">100000</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.convert">
<s:dict>
<s:key name="duration_secs">0.006</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.fields">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.head">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.presort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.prestats">
<s:dict>
<s:key name="duration_secs">0.014</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">12</s:key>
</s:dict>
</s:key>
<s:key name="command.search">
<s:dict>
<s:key name="duration_secs">0.058</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.fieldalias">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">3</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.filter">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.index">
<s:dict>
<s:key name="duration_secs">0.010</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
<s:key name="command.search.kv">
<s:dict>
<s:key name="duration_secs">0.011</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.lookups">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">3</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.rawdata">
<s:dict>
<s:key name="duration_secs">0.034</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.tags">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.typer">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.sort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createProviderQueue">
<s:dict>
<s:key name="duration_secs">0.067</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate">
<s:dict>
<s:key name="duration_secs">0.038</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.chart">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.head">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.search">
<s:dict>
<s:key name="duration_secs">0.037</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.sort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.fetch">
<s:dict>
<s:key name="duration_secs">0.126</s:key>
<s:key name="invocations">6</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.stream.local">
<s:dict>
<s:key name="duration_secs">0.070</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="ui_dispatch_app"></s:key>
<s:key name="ui_dispatch_view"></s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="modifiable">true</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">search</s:key>
<s:key name="can_write">true</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list>
<s:item>mbp15.splunk.com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
search/jobs POST
XML
XML Request
- Basic example:
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300
- Create custom property example:
curl -u admin:changeme -k https://localhost:8089/services/search/jobs
-d search="search *"
-d custom.foobar="myCustomPropA"
-d custom.foobaz="myCustomPropB"
Use the search/jobs GET request to view the custom properties.
- Create indexed real-time search with five second disk sync delay example:
curl -k -u admin:changed https://localhost:8089/services/search/jobs
-d search="search index=_* *"
-d search_mode="realtime"
-d indexedRealtime="1"
-d indexedRealtimeOffset="300"
XML Response
<response><sid>mysearch_02151949</sid></response>
search/jobs/export POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 1"
XML Response
<results preview='0'> <meta> <fieldOrder> <field>_cd</field> <field>_indextime</field> <field>_raw</field> <field>_serial</field> <field>_si</field> <field>_sourcetype</field> <field>_subsecond</field> <field>_time</field> <field>host</field> <field>index</field> <field>linecount</field> <field>source</field> <field>sourcetype</field> <field>splunk_server</field> </fieldOrder> </meta> <messages> <msg type="DEBUG">base lispy: [ AND index::_internal ]</msg> <msg type="DEBUG">search context: user="admin", app="search", bs-pathname="/Applications/splunk/etc"</msg> <msg type="INFO">Your timerange was substituted based on your search string</msg> </messages> <result offset='0'> <field k='_cd'> <value><text>50:59480</text></value> </field> <field k='_indextime'> <value><text>1333739623</text></value> </field> <field k='_raw'><v xml:space='preserve' trunc='0'>127.0.0.1 - admin [06/Apr/2012:12:13:42.943 -0700] "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 200 2063 - - - 317ms</v></field> <field k='_serial'> <value><text>0</text></value> </field> <field k='_si'> <value><text>mbp15.splunk.com</text></value> <value><text>_internal</text></value> </field> <field k='_sourcetype'> <value><text>splunkd_access</text></value> </field> <field k='_subsecond'> <value><text>.943</text></value> </field> <field k='_time'> <value><text>2012-04-06 12:13:42.943 PDT</text></value> </field> <field k='host'> <value><text>mbp15.splunk.com</text></value> </field> <field k='index'> <value h='1'><text>_internal</text></value> </field> <field k='linecount'> <value><text>1</text></value> </field> <field k='source'> <value><text>/Applications/splunk/var/log/splunk/splunkd_access.log</text></value> </field> <field k='sourcetype'> <value><text>splunkd_access</text></value> </field> <field k='splunk_server'> <value><text>mbp15.splunk.com</text></value> </field> </result> </results>
search/jobs/{search_id} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response
<response><messages><msg type='INFO'>Search job cancelled.</msg></messages></response
search/jobs/{search_id} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response
<entry
xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>search index</title>
<id>https://localhost:8089/services/search/jobs/mysearch_02151949</id>
<updated>2011-07-07T20:49:58.000-07:00</updated>
<link href="/services/search/jobs/mysearch_02151949" rel="alternate"/>
<published>2011-07-07T20:49:57.000-07:00</published>
<link href="/services/search/jobs/mysearch_02151949/search.log" rel="search.log"/>
<link href="/services/search/jobs/mysearch_02151949/events" rel="events"/>
<link href="/services/search/jobs/mysearch_02151949/results" rel="results"/>
<link href="/services/search/jobs/mysearch_02151949/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/mysearch_02151949/timeline" rel="timeline"/>
<link href="/services/search/jobs/mysearch_02151949/summary" rel="summary"/>
<link href="/services/search/jobs/mysearch_02151949/control" rel="control"/>
<author>
<name>admin</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="delegate"></s:key>
<s:key name="diskUsage">2174976</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">2011-07-07T11:18:08.000-07:00</s:key>
<s:key name="eventAvailableCount">287</s:key>
<s:key name="eventCount">287</s:key>
<s:key name="eventFieldCount">6</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">0</s:key>
<s:key name="eventSearch">search index</s:key>
<s:key name="eventSorting">desc</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">0</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords">index</s:key>
<s:key name="label"></s:key>
<s:key name="latestTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="priority">5</s:key>
<s:key name="remoteSearch">litsearch index | fields keepcolorder=t "host" "index" "linecount" "source" "sourcetype" "splunk_server"</s:key>
<s:key name="reportSearch"></s:key>
<s:key name="resultCount">287</s:key>
<s:key name="resultIsStreaming">1</s:key>
<s:key name="resultPreviewCount">287</s:key>
<s:key name="runDuration">1.004000</s:key>
<s:key name="scanCount">287</s:key>
<s:key name="sid">mysearch_02151949</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">516</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.fields">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search">
<s:dict>
<s:key name="duration_secs">0.089</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.fieldalias">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.index">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="command.search.kv">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="command.search.lookups">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.rawdata">
<s:dict>
<s:key name="duration_secs">0.083</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="command.search.tags">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.typer">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createProviderQueue">
<s:dict>
<s:key name="duration_secs">0.059</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate">
<s:dict>
<s:key name="duration_secs">0.037</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.search">
<s:dict>
<s:key name="duration_secs">0.036</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.fetch">
<s:dict>
<s:key name="duration_secs">0.092</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.readEventsInResults">
<s:dict>
<s:key name="duration_secs">0.110</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.stream.local">
<s:dict>
<s:key name="duration_secs">0.089</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.timeline">
<s:dict>
<s:key name="duration_secs">0.359</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="id">mysearch_02151949</s:key>
<s:key name="search">search index</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">admin</s:key>
<s:key name="modifiable">true</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">search</s:key>
<s:key name="can_write">true</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list>
<s:item>mbp15.splunk.com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
search/jobs/{search_id} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/{search_id} -d custom.*=UNDONE_curl_param
XML Response
TBD
search/jobs/{search_id}/control POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/control -d action=pause
XML Response
<response><messages><msg type='INFO'>Search job paused.</msg></messages></response>
search/jobs/{search_id}/events GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/1312313809.20/events --get -d f=arch -d f=build -d f=connectionType -d r -d count=3
XML Response
<results preview='0'> <meta> <fieldOrder> <field>arch</field> <field>build</field> <field>connectionType</field> <field>date_hour</field> </fieldOrder> </meta> <result offset='0'> <field k='arch'> <value><text>i686</text></value> </field> <field k='build'> <value><text>98164</text></value> </field> <field k='connectionType'> <value><text>cooked</text></value> </field> <field k='date_hour'> <value><text>19</text></value> </field> </result> <result offset='1'> <field k='arch'> <value><text>i686</text></value> </field> <field k='build'> <value><text>98164</text></value> </field> <field k='connectionType'> <value><text>cooked</text></value> </field> <field k='date_hour'> <value><text>19</text></value> </field> </result> <result offset='2'> <field k='arch'> <value><text>i686</text></value> </field> <field k='build'> <value><text>98164</text></value> </field> <field k='connectionType'> <value><text>cooked</text></value> </field> <field k='date_hour'> <value><text>19</text></value> </field> </result> </results>
search/jobs/{search_id}/results GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response
{ "init_offset" : 0,
"messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
"type" : "DEBUG"
},
{ "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
"type" : "DEBUG"
}
],
"preview" : false,
"results" : [ { "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
}
]
}
search/jobs/{search_id}/results_preview GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results_preview --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response
{ "init_offset" : 0,
"messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
"type" : "DEBUG"
},
{ "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
"type" : "DEBUG"
}
],
"preview" : false,
"results" : [ { "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
}
]
}
search/jobs/{search_id}/search.log GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/search.log
XML Response
TBD
Raw Response
07-07-2011 21:36:22.066 INFO ApplicationManager - Found application directory: /Applications/splunk4.3/etc/apps/user-prefs 07-07-2011 21:36:22.066 INFO ApplicationManager - Initialized at least 12 applications: /Applications/splunk4.3/etc/apps 07-07-2011 21:36:22.066 INFO ApplicationManager - Found 5 application(s) that might have global exports 07-07-2011 21:36:22.073 INFO dispatchRunner - initing LicenseMgr in search process: nonPro=0 07-07-2011 21:36:22.074 INFO LicenseMgr - Initing LicenseMgr 07-07-2011 21:36:22.075 INFO ServerConfig - My GUID is "1F3A34AE-75DA-4680-B184-5BF309843919". 07-07-2011 21:36:22.075 INFO ServerConfig - My hostname is "ombroso-mbp15.local". 07-07-2011 21:36:22.076 INFO SSLCommon - added zlib compression 07-07-2011 21:36:22.077 INFO ServerConfig - Default output queue for file-based input: parsingQueue. 07-07-2011 21:36:22.077 INFO LMConfig - serverName=mbp15.splunk.com guid=1F3A34AE-75DA-4680-B184-5BF309843919 07-07-2011 21:36:22.077 INFO LMConfig - connection_timeout=30 07-07-2011 21:36:22.077 INFO LMConfig - send_timeout=30 07-07-2011 21:36:22.077 INFO LMConfig - receive_timeout=30 . . . elided . . .
search/jobs/{search_id}/summary GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/summary --get -d f=source -d f=sourcetype -d f=host -d top_count=5
XML Response
<?xml version='1.0' encoding='UTF-8'?> <summary earliest_time='1969-12-31T16:00:00.000-08:00' latest_time='1969-12-31T16:00:00.464-08:00' duration='0' c='150375'> <field k='host' c='150375' nc='0' dc='1' exact='1'> <modes> <value c='150375' exact='1'><text>tiny</text></value> </modes> </field> <field k='source' c='150375' nc='0' dc='13' exact='1'> <modes> <value c='136107' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/metrics.log</text></value> <value c='6682' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd_access.log</text></value> <value c='4656' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/scheduler.log</text></value> <value c='1714' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/web_access.log</text></value> <value c='937' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd.log</text></value> </modes> </field> <field k='sourcetype' c='150375' nc='0' dc='10' exact='1'> <modes> <value c='137053' exact='1'><text>splunkd</text></value> <value c='6682' exact='1'><text>splunkd_access</text></value> <value c='4656' exact='1'><text>scheduler</text></value> <value c='1714' exact='1'><text>splunk_web_access</text></value> <value c='193' exact='1'><text>splunk_web_service</text></value> </modes> </field> </summary>
search/jobs/{search_id}/timeline GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/timeline --get -d time_format="%c"
XML Response
<timeline c='150397' cursor='1312308000'> <bucket c='7741' a='7741' t='1312308000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 11:00:00 2011</bucket> <bucket c='7894' a='7894' t='1312311600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 12:00:00 2011</bucket> <bucket c='7406' a='7406' t='1312315200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 13:00:00 2011</bucket> <bucket c='6097' a='6097' t='1312318800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 14:00:00 2011</bucket> <bucket c='6072' a='6072' t='1312322400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 15:00:00 2011</bucket> <bucket c='6002' a='6002' t='1312326000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 16:00:00 2011</bucket> <bucket c='6004' a='6004' t='1312329600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 17:00:00 2011</bucket> <bucket c='5994' a='5994' t='1312333200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 18:00:00 2011</bucket> <bucket c='6037' a='6037' t='1312336800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 19:00:00 2011</bucket> <bucket c='6021' a='6021' t='1312340400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 20:00:00 2011</bucket> <bucket c='6051' a='6051' t='1312344000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 21:00:00 2011</bucket> <bucket c='6006' a='6006' t='1312347600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 22:00:00 2011</bucket> <bucket c='6041' a='6041' t='1312351200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 23:00:00 2011</bucket> <bucket c='5993' a='5993' t='1312354800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 00:00:00 2011</bucket> <bucket c='6040' a='6040' t='1312358400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 01:00:00 2011</bucket> <bucket c='5993' a='5993' t='1312362000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 02:00:00 2011</bucket> <bucket c='6061' a='6061' t='1312365600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 03:00:00 2011</bucket> <bucket c='5995' a='5995' t='1312369200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 04:00:00 2011</bucket> <bucket c='5988' a='5988' t='1312372800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 05:00:00 2011</bucket> <bucket c='6042' a='6042' t='1312376400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 06:00:00 2011</bucket> <bucket c='5998' a='5998' t='1312380000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 07:00:00 2011</bucket> <bucket c='6055' a='6055' t='1312383600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 08:00:00 2011</bucket> <bucket c='5997' a='5997' t='1312387200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 09:00:00 2011</bucket> <bucket c='5994' a='5994' t='1312390800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 10:00:00 2011</bucket> <bucket c='875' a='875' t='1312394400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 11:00:00 2011</bucket> </timeline>
search/parser GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/parser --get -d output_mode=json -d q="search index=os sourcetype=cpu"
JSON Response
{
"remoteSearch": "litsearch | fields keepcolorder=t \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"remoteTimeOrdered": true,
"eventsSearch": "search ",
"eventsTimeOrdered": true,
"eventsStreaming": true,
"reportsSearch": "",
"commands": [
{
"command": "search",
"rawargs": "",
"pipeline": "streaming",
"args": {
"search": [""],
}
"isGenerating": true,
"streamType": "SP_STREAM",
},
]
}
search/scheduler GET
Request
curl -k -u admin:pass https://localhost:8089/services/search/scheduler
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler</id>
<updated>2015-06-09T13:23:38-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/scheduler/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler/scheduler</id>
<updated>2015-06-09T13:23:38-07:00</updated>
<link href="/services/search/scheduler/scheduler" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/scheduler/scheduler" rel="list"/>
<link href="/services/search/scheduler/scheduler" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="saved_searches_disabled">0</s:key>
</s:dict>
</content>
</entry>
</feed>
search/scheduler/status POST
XML
Request
curl -ku admin:pass -XPOST https://localhost:8089/services/search/scheduler/status -d disabled=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler</id>
<updated>2015-06-09T13:40:21-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/scheduler/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
search/timeparser GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/timeparser --get -d time=-12h -d time=-24h
XML Response
<response> <dict> <key name="-12h">2011-07-06T21:54:23.000-07:00</key> <key name="-24h">2011-07-06T09:54:23.000-07:00</key> </dict> </response>
search/typeahead GET
JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/typeahead --get -d count=3 -d prefix=source -d output_mode=json
JSON Response
{ "results" : [ { "content" : "source=\"sampledata.zip:./apache1.splunk.com/access_combined.log\"",
"count" : 9199,
"operator" : false
},
{ "content" : "source=\"sampledata.zip:./apache2.splunk.com/access_combined.log\"",
"count" : 27705,
"operator" : false
},
{ "content" : "source=\"sampledata.zip:./apache3.splunk.com/access_combined.log\"",
"count" : 27888,
"operator" : false
}
]
}
Last modified on 21 April, 2017
|
PREVIOUS Search endpoint descriptions |
NEXT System endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!