Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Search endpoint examples

alerts/fired_alerts GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/fired_alerts
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>alerts</title>
  <id>https://localhost:8089/services/alerts/fired_alerts</id>
  <updated>2011-07-11T19:27:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>-</title>
    <id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/-</id>
    <updated>2011-07-11T19:27:22-07:00</updated>
    <link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="triggered_alert_count">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

alerts/fired_alerts/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/scheduler__admin__search_aGF2ZV9ldmVudHM_at_1310437740_5d3dfde563194ffd_1310437749
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>alerts</title>
  <id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
  <updated>2011-07-11T19:35:25-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

alerts/fired_alerts/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/MyAlert
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>alerts</title>
  <id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
  <updated>2012-10-25T09:20:04-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</title>
    <id>https://localhost:8089/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</id>
    <updated>2012-10-25T09:19:47-07:00</updated>
    <link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2012-10-25T09:19:47-07:00</published>
    <link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="list"/>
    <link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="remove"/>
    <link href="/servicesNS/nobody/search/search/jobs/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31" rel="job"/>
    <link href="/servicesNS/nobody/search/saved/searches/MyAlert" rel="savedsearch"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="actions"/>
        <s:key name="alert_type">real time</s:key>
        <s:key name="digest_mode">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="expiration_time_rendered">2012-10-26 09:19:47 PDT</s:key>
        <s:key name="savedsearch_name">MyAlert</s:key>
        <s:key name="severity">3</s:key>
        <s:key name="sid">rt_scheduler__admin__search__MyAlert_at_1351181001_5.31</s:key>
        <s:key name="trigger_time">1351181987</s:key>
        <s:key name="trigger_time_rendered">2012-10-25 09:19:47 PDT</s:key>
        <s:key name="triggered_alerts">5</s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

data/commands GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>commandsconf</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
  <updated>2011-07-07T00:52:26-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
  <s:messages/>
  <entry>
    <title>bucketdir</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/commands/bucketdir</id>
    <updated>2011-07-07T00:52:26-07:00</updated>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="list"/>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="changes_colorder">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="enableheader">1</s:key>
        <s:key name="filename">bucketdir.py</s:key>
        <s:key name="generates_timeorder">0</s:key>
        <s:key name="generating">0</s:key>
        <s:key name="maxinputs">50000</s:key>
        <s:key name="outputheader">0</s:key>
        <s:key name="passauth">0</s:key>
        <s:key name="required_fields">*</s:key>
        <s:key name="requires_preop">0</s:key>
        <s:key name="retainsevents">0</s:key>
        <s:key name="streaming">0</s:key>
        <s:key name="supports_getinfo">0</s:key>
        <s:key name="supports_rawargs">1</s:key>
        <s:key name="type">python</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/commands/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands/input
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>commandsconf</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
  <updated>2011-07-07T00:52:26-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
  <s:messages/>
  <entry>
    <title>input</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/commands/input</id>
    <updated>2011-07-07T00:52:26-07:00</updated>
    <link href="/servicesNS/nobody/search/data/commands/input" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/commands/input" rel="list"/>
    <link href="/servicesNS/nobody/search/data/commands/input/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/commands/input/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="changes_colorder">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="enableheader">1</s:key>
        <s:key name="filename">input.py</s:key>
        <s:key name="generates_timeorder">0</s:key>
        <s:key name="generating">0</s:key>
        <s:key name="maxinputs">50000</s:key>
        <s:key name="outputheader">0</s:key>
        <s:key name="passauth">1</s:key>
        <s:key name="required_fields">*</s:key>
        <s:key name="requires_preop">0</s:key>
        <s:key name="retainsevents">0</s:key>
        <s:key name="streaming">0</s:key>
        <s:key name="supports_getinfo">0</s:key>
        <s:key name="supports_rawargs">1</s:key>
        <s:key name="type">python</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>savedsearch</title>
  <id>https://localhost:8089/services/saved/searches</id>
  <updated>2011-07-13T11:56:35-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/searches/_new" rel="create"/>
  <link href="/services/saved/searches/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Errors in the last 24 hours</title>
    <id>https://localhost:8089/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours</id>
    <updated>2011-07-13T11:56:35-07:00</updated>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="list"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="edit"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/disable" rel="disable"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/dispatch" rel="dispatch"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">0</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.sendresults"/>
        <s:key name="action.email.to"/>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"/>
        <s:key name="alert.suppress.period"/>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"/>
        <s:key name="alert_condition"/>
        <s:key name="alert_threshold"/>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"/>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time">-1d</s:key>
        <s:key name="dispatch.latest_time"/>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"/>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"/>
        <s:key name="qualifiedSearch">search  error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"/>
        <s:key name="request.ui_dispatch_view"/>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
        <s:key name="vsid">*:75qh2fwx</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches -d name=MySavedSearch --data-urlencode search="index=_internal source=*metrics.log"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-12-09T09:10:21-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-12-09T09:10:21-08:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <!-- opensearch nodes elided for brevity. -->
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">0</s:key>
        <s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
        <s:key name="action.email.auth_username">myusername</s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$
          | sendemail "server=$action.email.mailserver{default=localhost}$"
          "use_ssl=$action.email.use_ssl{default=false}$"
          "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$"
          "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
          "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
          "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
          "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
          "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
          "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
          maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview"></s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">1</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">0</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to"></s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">86400</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"</s:key>
        <s:key name="action.populate_lookup.dest"></s:key>
        <s:key name="action.populate_lookup.hostname"></s:key>
        <s:key name="action.populate_lookup.maxresults">10000</s:key>
        <s:key name="action.populate_lookup.maxtime">5m</s:key>
        <s:key name="action.populate_lookup.track_alert">0</s:key>
        <s:key name="action.populate_lookup.ttl">120</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger:
          $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
        </s:key>
        <s:key name="action.rss.hostname"></s:key>
        <s:key name="action.rss.maxresults">10000</s:key>
        <s:key name="action.rss.maxtime">1m</s:key>
        <s:key name="action.rss.track_alert">0</s:key>
        <s:key name="action.rss.ttl">86400</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$"
          "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$"
          maxtime="$action.script.maxtime{default=5m}$"
        </s:key>
        <s:key name="action.script.filename"></s:key>
        <s:key name="action.script.hostname"></s:key>
        <s:key name="action.script.maxresults">10000</s:key>
        <s:key name="action.script.maxtime">5m</s:key>
        <s:key name="action.script.track_alert">1</s:key>
        <s:key name="action.script.ttl">600</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        <s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
          file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
          key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
        </s:key>
        <s:key name="action.summary_index.hostname"></s:key>
        <s:key name="action.summary_index.inline">1</s:key>
        <s:key name="action.summary_index.maxresults">10000</s:key>
        <s:key name="action.summary_index.maxtime">5m</s:key>
        <s:key name="action.summary_index.track_alert">0</s:key>
        <s:key name="action.summary_index.ttl">120</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"></s:key>
        <s:key name="alert.suppress.fields"></s:key>
        <s:key name="alert.suppress.period"></s:key>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"></s:key>
        <s:key name="alert_condition"></s:key>
        <s:key name="alert_threshold"></s:key>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"></s:key>
        <s:key name="description"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time"></s:key>
        <s:key name="dispatch.latest_time"></s:key>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.rt_backfill">0</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"></s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"></s:key>
        <s:key name="qualifiedSearch">search  index=_internal source=*metrics.log</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"></s:key>
        <s:key name="request.ui_dispatch_view"></s:key>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">index=_internal source=*metrics.log</s:key>
        <s:key name="vsid"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-13T12:09:05-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

saved/searches/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-13T11:57:54-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-07-13T11:57:54-07:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">0</s:key>
        <s:key name="action.email.auth_password"/>
        <s:key name="action.email.auth_username"/>
        <s:key name="action.email.bcc"/>
        <s:key name="action.email.cc"/>
        <s:key name="action.email.command">
      <![CDATA[$action.email.preprocess_results{default=""}$
     | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
      "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
      "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$"
      "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)"
      "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
      "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
      "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
      maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"/>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.preprocess_results"/>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"/>
        <s:key name="action.email.sendpdf">0</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to"/>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">86400</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.populate_lookup.command">
          copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"
        </s:key>
        <s:key name="action.populate_lookup.hostname"/>
        <s:key name="action.populate_lookup.maxresults">10000</s:key>
        <s:key name="action.populate_lookup.maxtime">5m</s:key>
        <s:key name="action.populate_lookup.track_alert">0</s:key>
        <s:key name="action.populate_lookup.ttl">120</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.rss.command">
          createrss "path=$name$.xml" "name=$name$" "link=$results.url$"
          "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30"
          "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
        </s:key>
        <s:key name="action.rss.hostname"/>
        <s:key name="action.rss.maxresults">10000</s:key>
        <s:key name="action.rss.maxtime">1m</s:key>
        <s:key name="action.rss.track_alert">0</s:key>
        <s:key name="action.rss.ttl">86400</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.script.command">runshellscript "$action.script.filename$"
          "$results.count$" "$search$" "$search$" "$name$"
          "Saved Search [$name$] $counttype$($results.count$)" "$results.url$"
          "$deprecated_arg$" "$search_id$"
          maxtime="$action.script.maxtime{default=5m}$"
        </s:key>
        <s:key name="action.script.hostname"/>
        <s:key name="action.script.maxresults">10000</s:key>
        <s:key name="action.script.maxtime">5m</s:key>
        <s:key name="action.script.track_alert">1</s:key>
        <s:key name="action.script.ttl">600</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        <s:key name="action.summary_index.command">
          <![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
          file="$name$_$#random$.stash_new" name="$name$"
          marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
            key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
        </s:key>
        <s:key name="action.summary_index.hostname"/>
        <s:key name="action.summary_index.inline">1</s:key>
        <s:key name="action.summary_index.maxresults">10000</s:key>
        <s:key name="action.summary_index.maxtime">5m</s:key>
        <s:key name="action.summary_index.track_alert">0</s:key>
        <s:key name="action.summary_index.ttl">120</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"/>
        <s:key name="alert.suppress.period"/>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"/>
        <s:key name="alert_condition"/>
        <s:key name="alert_threshold"/>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"/>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time"/>
        <s:key name="dispatch.latest_time"/>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"/>
        <!-- eai:acl elided -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>action.email</s:item>
                <s:item>action.email.auth_password</s:item>
                <s:item>action.email.auth_username</s:item>
                <s:item>action.email.bcc</s:item>
                <s:item>action.email.cc</s:item>
                <s:item>action.email.command</s:item>
                <s:item>action.email.format</s:item>
                <s:item>action.email.from</s:item>
                <s:item>action.email.hostname</s:item>
                <s:item>action.email.inline</s:item>
                <s:item>action.email.mailserver</s:item>
                <s:item>action.email.maxresults</s:item>
                <s:item>action.email.maxtime</s:item>
                <s:item>action.email.preprocess_results</s:item>
                <s:item>action.email.reportPaperOrientation</s:item>
                <s:item>action.email.reportPaperSize</s:item>
                <s:item>action.email.reportServerEnabled</s:item>
                <s:item>action.email.reportServerURL</s:item>
                <s:item>action.email.sendpdf</s:item>
                <s:item>action.email.sendresults</s:item>
                <s:item>action.email.subject</s:item>
                <s:item>action.email.to</s:item>
                <s:item>action.email.track_alert</s:item>
                <s:item>action.email.ttl</s:item>
                <s:item>action.email.use_ssl</s:item>
                <s:item>action.email.use_tls</s:item>
                <s:item>action.populate_lookup</s:item>
                <s:item>action.populate_lookup.command</s:item>
                <s:item>action.populate_lookup.hostname</s:item>
                <s:item>action.populate_lookup.maxresults</s:item>
                <s:item>action.populate_lookup.maxtime</s:item>
                <s:item>action.populate_lookup.track_alert</s:item>
                <s:item>action.populate_lookup.ttl</s:item>
                <s:item>action.rss</s:item>
                <s:item>action.rss.command</s:item>
                <s:item>action.rss.hostname</s:item>
                <s:item>action.rss.maxresults</s:item>
                <s:item>action.rss.maxtime</s:item>
                <s:item>action.rss.track_alert</s:item>
                <s:item>action.rss.ttl</s:item>
                <s:item>action.script</s:item>
                <s:item>action.script.command</s:item>
                <s:item>action.script.hostname</s:item>
                <s:item>action.script.maxresults</s:item>
                <s:item>action.script.maxtime</s:item>
                <s:item>action.script.track_alert</s:item>
                <s:item>action.script.ttl</s:item>
                <s:item>action.summary_index</s:item>
                <s:item>action.summary_index._name</s:item>
                <s:item>action.summary_index.command</s:item>
                <s:item>action.summary_index.hostname</s:item>
                <s:item>action.summary_index.inline</s:item>
                <s:item>action.summary_index.maxresults</s:item>
                <s:item>action.summary_index.maxtime</s:item>
                <s:item>action.summary_index.track_alert</s:item>
                <s:item>action.summary_index.ttl</s:item>
                <s:item>actions</s:item>
                <s:item>alert.digest_mode</s:item>
                <s:item>alert.expires</s:item>
                <s:item>alert.severity</s:item>
                <s:item>alert.suppress</s:item>
                <s:item>alert.suppress.period</s:item>
                <s:item>alert.track</s:item>
                <s:item>alert_comparator</s:item>
                <s:item>alert_condition</s:item>
                <s:item>alert_threshold</s:item>
                <s:item>alert_type</s:item>
                <s:item>cron_schedule</s:item>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>dispatch.buckets</s:item>
                <s:item>dispatch.earliest_time</s:item>
                <s:item>dispatch.latest_time</s:item>
                <s:item>dispatch.lookups</s:item>
                <s:item>dispatch.max_count</s:item>
                <s:item>dispatch.max_time</s:item>
                <s:item>dispatch.reduce_freq</s:item>
                <s:item>dispatch.spawn_process</s:item>
                <s:item>dispatch.time_format</s:item>
                <s:item>dispatch.ttl</s:item>
                <s:item>displayview</s:item>
                <s:item>is_scheduled</s:item>
                <s:item>is_visible</s:item>
                <s:item>max_concurrent</s:item>
                <s:item>next_scheduled_time</s:item>
                <s:item>qualifiedSearch</s:item>
                <s:item>realtime_schedule</s:item>
                <s:item>request.ui_dispatch_app</s:item>
                <s:item>request.ui_dispatch_view</s:item>
                <s:item>restart_on_searchpeer_add</s:item>
                <s:item>run_on_startup</s:item>
                <s:item>vsid</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>action\..*</s:item>
                <s:item>args\..*</s:item>
                <s:item>dispatch\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"/>
        <s:key name="qualifiedSearch">search  index</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"/>
        <s:key name="request.ui_dispatch_view"/>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">index</s:key>
        <s:key name="vsid"/>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch -d actions=email -d action.email.to="nobody@example.com, info@example.com" -d search="my search here"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:20:14-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-07-26T18:20:14-04:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command">
          <![CDATA[$action.email.preprocess_results{default=""}$ |
                    sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
                    "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
                    "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
                    "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
                    "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
                    "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
                    "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
                    "pdfview=$action.email.pdfview$" "searchid=$search_id$"
                    "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$"
                    maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">0</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">nobody@example.com,info@example.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">86400</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"</s:key>
        <s:key name="action.populate_lookup.hostname"></s:key>
        <s:key name="action.populate_lookup.maxresults">10000</s:key>
        <s:key name="action.populate_lookup.maxtime">5m</s:key>
        <s:key name="action.populate_lookup.track_alert">0</s:key>
        <s:key name="action.populate_lookup.ttl">120</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"</s:key>
        <s:key name="action.rss.hostname"></s:key>
        <s:key name="action.rss.maxresults">10000</s:key>
        <s:key name="action.rss.maxtime">1m</s:key>
        <s:key name="action.rss.track_alert">0</s:key>
        <s:key name="action.rss.ttl">86400</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"</s:key>
        <s:key name="action.script.hostname"></s:key>
        <s:key name="action.script.maxresults">10000</s:key>
        <s:key name="action.script.maxtime">5m</s:key>
        <s:key name="action.script.track_alert">1</s:key>
        <s:key name="action.script.ttl">600</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        <s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]></s:key>
        <s:key name="action.summary_index.hostname"></s:key>
        <s:key name="action.summary_index.inline">1</s:key>
        <s:key name="action.summary_index.maxresults">10000</s:key>
        <s:key name="action.summary_index.maxtime">5m</s:key>
        <s:key name="action.summary_index.track_alert">0</s:key>
        <s:key name="action.summary_index.ttl">120</s:key>
        <s:key name="actions">email</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"></s:key>
        <s:key name="alert.suppress.period"></s:key>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"></s:key>
        <s:key name="alert_condition"></s:key>
        <s:key name="alert_threshold"></s:key>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"></s:key>
        <s:key name="description"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time"></s:key>
        <s:key name="dispatch.latest_time"></s:key>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.rt_backfill">0</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"></s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"></s:key>
        <s:key name="qualifiedSearch">search  my seach here</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"></s:key>
        <s:key name="request.ui_dispatch_view"></s:key>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">my search here</s:key>
        <s:key name="vsid"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name}/acknowledge POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MyAlert/acknowledge -X POST
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:31:07-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

saved/searches/{name}/dispatch POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch -d trigger_actions=1
XML Response
<?xml version='1.0' encoding='UTF-8'?>
<response><sid>admin__admin__search__MySavedSearch_at_1311797437_d831d980832e3e89</sid></response>

saved/searches/{name}/history GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/history
    
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>MySavedSearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:13:20-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</title>
    <id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</id>
    <updated>2011-07-26T18:13:18-04:00</updated>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2011-07-26T18:13:01-04:00</published>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="list"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="edit"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="isDone">1</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isScheduled">1</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="ttl">86382</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</title>
    <id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</id>
    <updated>2011-07-26T17:51:23-04:00</updated>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2011-07-26T17:51:01-04:00</published>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="list"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="edit"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="isDone">1</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isScheduled">1</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="ttl">85062</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name}/reschedule POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule -d schedule_time=2012-08-15T14:11:01Z
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/services/saved/searches</id>
  <updated>2012-07-27T11:21:43-07:00</updated>
  <generator build="131547" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/searches/_new" rel="create"/>
  <link href="/services/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

saved/searches/{name}/scheduled_times GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/searches/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/services/saved/searches</id>
  <updated>2011-12-02T11:12:55-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/searches/_new" rel="create"/>
  <link href="/services/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__dashboard_live</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live</id>
    <updated>2011-12-02T11:12:55-08:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <!-- opensearch nodes elided for brevity. -->
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
        <s:key name="action.email.auth_username">myusername</s:key>
        . . . elided . . .
        <s:key name="action.email.pdfview">dashboard_live</s:key>
        . . . elided . . .
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">myusername@example.com</s:key>
        . . . elided . . .
         <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        . . . elided . . .
        <s:key name="actions">email</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"></s:key>
        <s:key name="alert.suppress.fields"></s:key>
        <s:key name="alert.suppress.period"></s:key>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"></s:key>
        <s:key name="alert_condition"></s:key>
        <s:key name="alert_threshold"></s:key>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule">*/30 * * * *</s:key>
        <s:key name="description">scheduled search for view name=dashboard_live</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time">1</s:key>
        <s:key name="dispatch.latest_time">2</s:key>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        . . . elided . . .
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="is_visible">0</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time">2011-12-02 11:30:00 PST</s:key>
        <s:key name="qualifiedSearch"> noop</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"></s:key>
        <s:key name="request.ui_dispatch_view"></s:key>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="scheduled_times"><s:list><s:item>1322836200</s:item><s:item>1322838000</s:item><s:item>1322839800</s:item><s:item>1322841600</s:item></s:list></s:key>
        <s:key name="search">| noop</s:key>
        <s:key name="vsid"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name}/suppress GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/suppress
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:22:51-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-07-26T18:22:51-04:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="expiration">13811</s:key>
        <s:key name="suppressed">1</s:key>
        <s:key name="suppressionKey">admin;search;MySavedSearch;;</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/scheduled/views
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
  <updated>2011-07-27T16:27:55-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__MyView</title>
    <id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView</id>
    <updated>2011-07-27T16:27:55-04:00</updated>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="list"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="edit"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="remove"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/move" rel="move"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/history" rel="history"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/notify" rel="notify"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.pdfview">MyView</s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults"></s:key>
        <s:key name="action.email.to">email@example.com</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="cron_schedule">* * * * *</s:key>
        <s:key name="description">scheduled search for view name=MyView</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-07-27 16:28:00 EDT</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
  <updated>2011-07-27T16:16:02-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

scheduled/views/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
  <updated>2011-07-27T17:12:11-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__MyView</title>
    <id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
    <updated>2011-07-27T17:12:11-04:00</updated>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command">
          <![CDATA[$action.email.preprocess_results{default=""}$ |
                   sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
                   "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
                   "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
                   "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
                   "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
                   "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
                   "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
                   "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
                   maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview">MyView</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">info@example.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="cron_schedule">* * * * *</s:key>
        <s:key name="description">scheduled search for view name=MyView</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>next_scheduled_time</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>action.email.to</s:item>
                <s:item>cron_schedule</s:item>
                <s:item>is_scheduled</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list><s:item>action\.email.*</s:item></s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-07-27 17:13:00 EDT</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew -d action.email.to="info@example.com" -d cron_schedule="0 * * * *" -d is_scheduled=1 -d description="New description"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
  <updated>2011-07-27T17:59:32-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__MyView</title>
    <id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
    <updated>2011-07-27T17:59:32-04:00</updated>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command">
          <![CDATA[$action.email.preprocess_results{default=""}$ |
                   sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
                   "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
                   "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
                   "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
                   "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
                   "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
                   "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
                   "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
                   maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview">MyView</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">info@example.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="cron_schedule">0 * * * *</s:key>
        <s:key name="description">New Description</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-07-27 18:00:00 EDT</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name}/dispatch POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView/dispatch -d trigger_actions=1
    
XML Response
<?xml version='1.0' encoding='UTF-8'?>
<response><sid>admin__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311805021_c24ff1ea77ad714b</sid></response>

scheduled/views/{name}/history GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew/history
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>_ScheduledView__MyView</title>
  <id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
  <updated>2011-07-27T16:25:22-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</title>
    <id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</id>
    <updated>2011-07-27T16:25:15-04:00</updated>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2011-07-27T16:25:15-04:00</published>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="list"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="edit"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name}/reschedule POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard2/reschedule -d schedule_time=2013-02-15T14:11:01Z
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/services/scheduled/views</id>
  <updated>2012-10-02T08:48:18-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

scheduled/views/{name}/scheduled_times GET

XML
XML Request
curl -k -u admin:admin https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://wma-mbp15:8089/services/scheduled/views</id>
  <updated>2011-12-01T14:40:18-08:00</updated>
  <generator version="112383"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__dashboard_live</title>
    <id>https://wma-mbp15:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live</id>
    <updated>2011-12-01T14:40:18-08:00</updated>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <!-- opensearch nodes elided for brevity. -->
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$ | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$" "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "width_sort_columns=$action.email.width_sort_columns$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]></s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview">dashboard_live</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">1</s:key>
        <s:key name="action.email.reportServerURL"> </s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">wma@splunk.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.email.width_sort_columns">1</s:key>
        <s:key name="cron_schedule">/5 * * * *</s:key>
        <s:key name="description">scheduled search for view name=dashboard_live</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-12-01 15:00:00 PST</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/jobs GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs --get -d search="eventCount>100"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://localhost:8089/services/search/jobs</id>
  <updated>2011-06-21T10:12:22-07:00</updated>
  <generator version="100492"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>8</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>search  index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput
        | chart sum(kb) by series | sort -sum(kb) | head 5</title>
    <id>https://localhost:8089/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</id>
    <updated>2011-06-21T10:10:31.000-07:00</updated>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4" rel="alternate"/>
    <published>2011-06-21T10:10:23.000-07:00</published>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/search.log" rel="log"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">73728</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">2011-06-20T10:10:00.000-07:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">1363</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">1</s:key>
        <s:key name="eventSearch">search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords">group::per_sourcetype_thruput index::_internal source::*/metrics.log* source::*\metrics.log*</s:key>
        <s:key name="label">Top five sourcetypes</s:key>
        <s:key name="latestTime">2011-06-21T10:10:00.000-07:00</s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="remoteSearch">litsearch index=_internal ( source=*/metrics.log* OR source=*\\metrics.log* )
                group=per_sourcetype_thruput | addinfo  type=count label=prereport_events
                | fields  keepcolorder=t "kb" "prestats_reserved_*" "psrsvd_*" "series"
                | convert  num("kb")  | prestats  sum(kb) AS "sum(kb)" by series</s:key>
        <s:key name="reportSearch">chart  sum(kb) by series  | sort  -sum(kb)  | head  5</s:key>
        <s:key name="resultCount">4</s:key>
        <s:key name="resultIsStreaming">0</s:key>
        <s:key name="resultPreviewCount">4</s:key>
        <s:key name="runDuration">0.259000</s:key>
        <s:key name="scanCount">1363</s:key>
        <s:key name="searchEarliestTime">1308589800.000000000</s:key>
        <s:key name="searchLatestTime">1308676200.000000000</s:key>
        <s:key name="sid">scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">489</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.addinfo">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.chart">
              <s:dict>
                <s:key name="duration_secs">0.003</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">100000</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.convert">
              <s:dict>
                <s:key name="duration_secs">0.006</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.fields">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.head">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">4</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.presort">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">4</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.prestats">
              <s:dict>
                <s:key name="duration_secs">0.014</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">12</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search">
              <s:dict>
                <s:key name="duration_secs">0.058</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.fieldalias">
              <s:dict>
                <s:key name="duration_secs">0.003</s:key>
                <s:key name="invocations">3</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.filter">
              <s:dict>
                <s:key name="duration_secs">0.004</s:key>
                <s:key name="invocations">3</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.index">
              <s:dict>
                <s:key name="duration_secs">0.010</s:key>
                <s:key name="invocations">5</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.kv">
              <s:dict>
                <s:key name="duration_secs">0.011</s:key>
                <s:key name="invocations">3</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.lookups">
              <s:dict>
                <s:key name="duration_secs">0.003</s:key>
                <s:key name="invocations">3</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.rawdata">
              <s:dict>
                <s:key name="duration_secs">0.034</s:key>
                <s:key name="invocations">3</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.tags">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.typer">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.sort">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">4</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createProviderQueue">
              <s:dict>
                <s:key name="duration_secs">0.067</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate">
              <s:dict>
                <s:key name="duration_secs">0.038</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.chart">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.head">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.search">
              <s:dict>
                <s:key name="duration_secs">0.037</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.sort">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.fetch">
              <s:dict>
                <s:key name="duration_secs">0.126</s:key>
                <s:key name="invocations">6</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.stream.local">
              <s:dict>
                <s:key name="duration_secs">0.070</s:key>
                <s:key name="invocations">5</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="modifiable">true</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">search</s:key>
            <s:key name="can_write">true</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list>
            <s:item>mbp15.splunk.com</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

search/jobs POST

XML
XML Request
  • Basic example:
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300
  • Create custom property example:
curl -u admin:changeme -k https://localhost:8089/services/search/jobs
    -d search="search *"
    -d custom.foobar="myCustomPropA"
    -d custom.foobaz="myCustomPropB"

Use the search/jobs GET request to view the custom properties.

  • Create indexed real-time search with five second disk sync delay example:
curl -k -u admin:changed https://localhost:8089/services/search/jobs
    -d search="search index=_* *"
    -d search_mode="realtime"
    -d indexedRealtime="1"
    -d indexedRealtimeOffset="300"
XML Response
<response><sid>mysearch_02151949</sid></response>

search/jobs/export POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 1"

XML Response
<results preview='0'>
<meta>
<fieldOrder>
<field>_cd</field>
<field>_indextime</field>
<field>_raw</field>
<field>_serial</field>
<field>_si</field>
<field>_sourcetype</field>
<field>_subsecond</field>
<field>_time</field>
<field>host</field>
<field>index</field>
<field>linecount</field>
<field>source</field>
<field>sourcetype</field>
<field>splunk_server</field>
</fieldOrder>
</meta>
<messages>
  <msg type="DEBUG">base lispy: [ AND index::_internal ]</msg>
  <msg type="DEBUG">search context: user="admin", app="search", bs-pathname="/Applications/splunk/etc"</msg>
  <msg type="INFO">Your timerange was substituted based on your search string</msg>
</messages>

	<result offset='0'>
		<field k='_cd'>
			<value><text>50:59480</text></value>
		</field>
		<field k='_indextime'>
			<value><text>1333739623</text></value>
		</field>
		<field k='_raw'><v xml:space='preserve' trunc='0'>127.0.0.1 - admin [06/Apr/2012:12:13:42.943 -0700] "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 200 2063 - - - 317ms</v></field>
		<field k='_serial'>
			<value><text>0</text></value>
		</field>
		<field k='_si'>
			<value><text>mbp15.splunk.com</text></value>
			<value><text>_internal</text></value>
		</field>
		<field k='_sourcetype'>
			<value><text>splunkd_access</text></value>
		</field>
		<field k='_subsecond'>
			<value><text>.943</text></value>
		</field>
		<field k='_time'>
			<value><text>2012-04-06 12:13:42.943 PDT</text></value>
		</field>
		<field k='host'>
			<value><text>mbp15.splunk.com</text></value>
		</field>
		<field k='index'>
			<value h='1'><text>_internal</text></value>
		</field>
		<field k='linecount'>
			<value><text>1</text></value>
		</field>
		<field k='source'>
			<value><text>/Applications/splunk/var/log/splunk/splunkd_access.log</text></value>
		</field>
		<field k='sourcetype'>
			<value><text>splunkd_access</text></value>
		</field>
		<field k='splunk_server'>
			<value><text>mbp15.splunk.com</text></value>
		</field>
	</result>
</results>

search/jobs/{search_id} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response
<response><messages><msg type='INFO'>Search job cancelled.</msg></messages></response

search/jobs/{search_id} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response
<entry
       xmlns="http://www.w3.org/2005/Atom"
       xmlns:s="http://dev.splunk.com/ns/rest"
       xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>search index</title>
  <id>https://localhost:8089/services/search/jobs/mysearch_02151949</id>
  <updated>2011-07-07T20:49:58.000-07:00</updated>
  <link href="/services/search/jobs/mysearch_02151949" rel="alternate"/>
  <published>2011-07-07T20:49:57.000-07:00</published>
  <link href="/services/search/jobs/mysearch_02151949/search.log" rel="search.log"/>
  <link href="/services/search/jobs/mysearch_02151949/events" rel="events"/>
  <link href="/services/search/jobs/mysearch_02151949/results" rel="results"/>
  <link href="/services/search/jobs/mysearch_02151949/results_preview" rel="results_preview"/>
  <link href="/services/search/jobs/mysearch_02151949/timeline" rel="timeline"/>
  <link href="/services/search/jobs/mysearch_02151949/summary" rel="summary"/>
  <link href="/services/search/jobs/mysearch_02151949/control" rel="control"/>
  <author>
    <name>admin</name>
  </author>
  <content type="text/xml">
    <s:dict>
      <s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
      <s:key name="delegate"></s:key>
      <s:key name="diskUsage">2174976</s:key>
      <s:key name="dispatchState">DONE</s:key>
      <s:key name="doneProgress">1.00000</s:key>
      <s:key name="dropCount">0</s:key>
      <s:key name="earliestTime">2011-07-07T11:18:08.000-07:00</s:key>
      <s:key name="eventAvailableCount">287</s:key>
      <s:key name="eventCount">287</s:key>
      <s:key name="eventFieldCount">6</s:key>
      <s:key name="eventIsStreaming">1</s:key>
      <s:key name="eventIsTruncated">0</s:key>
      <s:key name="eventSearch">search index</s:key>
      <s:key name="eventSorting">desc</s:key>
      <s:key name="isDone">1</s:key>
      <s:key name="isFailed">0</s:key>
      <s:key name="isFinalized">0</s:key>
      <s:key name="isPaused">0</s:key>
      <s:key name="isPreviewEnabled">0</s:key>
      <s:key name="isRealTimeSearch">0</s:key>
      <s:key name="isRemoteTimeline">0</s:key>
      <s:key name="isSaved">0</s:key>
      <s:key name="isSavedSearch">0</s:key>
      <s:key name="isZombie">0</s:key>
      <s:key name="keywords">index</s:key>
      <s:key name="label"></s:key>
      <s:key name="latestTime">1969-12-31T16:00:00.000-08:00</s:key>
      <s:key name="numPreviews">0</s:key>
      <s:key name="priority">5</s:key>
      <s:key name="remoteSearch">litsearch index | fields  keepcolorder=t "host" "index" "linecount" "source" "sourcetype" "splunk_server"</s:key>
      <s:key name="reportSearch"></s:key>
      <s:key name="resultCount">287</s:key>
      <s:key name="resultIsStreaming">1</s:key>
      <s:key name="resultPreviewCount">287</s:key>
      <s:key name="runDuration">1.004000</s:key>
      <s:key name="scanCount">287</s:key>
      <s:key name="sid">mysearch_02151949</s:key>
      <s:key name="statusBuckets">0</s:key>
      <s:key name="ttl">516</s:key>
      <s:key name="performance">
        <s:dict>
          <s:key name="command.fields">
            <s:dict>
              <s:key name="duration_secs">0.004</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search">
            <s:dict>
              <s:key name="duration_secs">0.089</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">0</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.fieldalias">
            <s:dict>
              <s:key name="duration_secs">0.002</s:key>
              <s:key name="invocations">2</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.index">
            <s:dict>
              <s:key name="duration_secs">0.005</s:key>
              <s:key name="invocations">4</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.kv">
            <s:dict>
              <s:key name="duration_secs">0.002</s:key>
              <s:key name="invocations">2</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.lookups">
            <s:dict>
              <s:key name="duration_secs">0.002</s:key>
              <s:key name="invocations">2</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.rawdata">
            <s:dict>
              <s:key name="duration_secs">0.083</s:key>
              <s:key name="invocations">2</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.tags">
            <s:dict>
              <s:key name="duration_secs">0.004</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.typer">
            <s:dict>
              <s:key name="duration_secs">0.004</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.createProviderQueue">
            <s:dict>
              <s:key name="duration_secs">0.059</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.evaluate">
            <s:dict>
              <s:key name="duration_secs">0.037</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.evaluate.search">
            <s:dict>
              <s:key name="duration_secs">0.036</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.fetch">
            <s:dict>
              <s:key name="duration_secs">0.092</s:key>
              <s:key name="invocations">5</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.readEventsInResults">
            <s:dict>
              <s:key name="duration_secs">0.110</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.stream.local">
            <s:dict>
              <s:key name="duration_secs">0.089</s:key>
              <s:key name="invocations">4</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.timeline">
            <s:dict>
              <s:key name="duration_secs">0.359</s:key>
              <s:key name="invocations">5</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="messages">
        <s:dict/>
      </s:key>
      <s:key name="request">
        <s:dict>
          <s:key name="id">mysearch_02151949</s:key>
          <s:key name="search">search index</s:key>
        </s:dict>
      </s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>admin</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>admin</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="owner">admin</s:key>
          <s:key name="modifiable">true</s:key>
          <s:key name="sharing">global</s:key>
          <s:key name="app">search</s:key>
          <s:key name="can_write">true</s:key>
        </s:dict>
      </s:key>
      <s:key name="searchProviders">
        <s:list>
          <s:item>mbp15.splunk.com</s:item>
        </s:list>
      </s:key>
    </s:dict>
  </content>
</entry>

search/jobs/{search_id} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/{search_id} -d custom.*=UNDONE_curl_param
XML Response
TBD

search/jobs/{search_id}/control POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/control -d action=pause
XML Response
<response><messages><msg type='INFO'>Search job paused.</msg></messages></response>

search/jobs/{search_id}/events GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/1312313809.20/events --get -d f=arch -d f=build -d f=connectionType -d r -d count=3
XML Response
<results preview='0'>
<meta>
<fieldOrder>
<field>arch</field>
<field>build</field>
<field>connectionType</field>
<field>date_hour</field>
</fieldOrder>
</meta>
	<result offset='0'>
		<field k='arch'>
			<value><text>i686</text></value>
		</field>
		<field k='build'>
			<value><text>98164</text></value>
		</field>
		<field k='connectionType'>
			<value><text>cooked</text></value>
		</field>
		<field k='date_hour'>
			<value><text>19</text></value>
		</field>
	</result>
	<result offset='1'>
		<field k='arch'>
			<value><text>i686</text></value>
		</field>
		<field k='build'>
			<value><text>98164</text></value>
		</field>
		<field k='connectionType'>
			<value><text>cooked</text></value>
		</field>
		<field k='date_hour'>
			<value><text>19</text></value>
		</field>
	</result>
	<result offset='2'>
		<field k='arch'>
			<value><text>i686</text></value>
		</field>
		<field k='build'>
			<value><text>98164</text></value>
		</field>
		<field k='connectionType'>
			<value><text>cooked</text></value>
		</field>
		<field k='date_hour'>
			<value><text>19</text></value>
		</field>
	</result>
</results>

search/jobs/{search_id}/results GET

JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response
{ "init_offset" : 0,
  "messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
        "type" : "DEBUG"
      },
      { "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
        "type" : "DEBUG"
      }
    ],
  "preview" : false,
  "results" : [ { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      }
    ]
}

search/jobs/{search_id}/results_preview GET

JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results_preview --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response
{ "init_offset" : 0,
  "messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
        "type" : "DEBUG"
      },
      { "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
        "type" : "DEBUG"
      }
    ],
  "preview" : false,
  "results" : [ { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      }
    ]
}

search/jobs/{search_id}/search.log GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/search.log
XML Response
TBD
Raw Response
07-07-2011 21:36:22.066 INFO  ApplicationManager - Found application directory: /Applications/splunk4.3/etc/apps/user-prefs
07-07-2011 21:36:22.066 INFO  ApplicationManager - Initialized at least 12 applications: /Applications/splunk4.3/etc/apps
07-07-2011 21:36:22.066 INFO  ApplicationManager - Found 5 application(s) that might have global exports
07-07-2011 21:36:22.073 INFO  dispatchRunner - initing LicenseMgr in search process: nonPro=0
07-07-2011 21:36:22.074 INFO  LicenseMgr - Initing LicenseMgr
07-07-2011 21:36:22.075 INFO  ServerConfig - My GUID is "1F3A34AE-75DA-4680-B184-5BF309843919".
07-07-2011 21:36:22.075 INFO  ServerConfig - My hostname is "ombroso-mbp15.local".
07-07-2011 21:36:22.076 INFO  SSLCommon - added zlib compression
07-07-2011 21:36:22.077 INFO  ServerConfig - Default output queue for file-based input: parsingQueue.
07-07-2011 21:36:22.077 INFO  LMConfig - serverName=mbp15.splunk.com guid=1F3A34AE-75DA-4680-B184-5BF309843919 
07-07-2011 21:36:22.077 INFO  LMConfig - connection_timeout=30
07-07-2011 21:36:22.077 INFO  LMConfig - send_timeout=30
07-07-2011 21:36:22.077 INFO  LMConfig - receive_timeout=30
. . . elided . . .

search/jobs/{search_id}/summary GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/summary --get -d f=source -d f=sourcetype -d f=host -d top_count=5
XML Response
<?xml version='1.0' encoding='UTF-8'?>
<summary earliest_time='1969-12-31T16:00:00.000-08:00' latest_time='1969-12-31T16:00:00.464-08:00' duration='0' c='150375'>
	<field k='host' c='150375' nc='0' dc='1' exact='1'>
		<modes>
			<value c='150375' exact='1'><text>tiny</text></value>		</modes>
	</field>
	<field k='source' c='150375' nc='0' dc='13' exact='1'>
		<modes>
			<value c='136107' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/metrics.log</text></value>			<value c='6682' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd_access.log</text></value>			<value c='4656' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/scheduler.log</text></value>			<value c='1714' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/web_access.log</text></value>			<value c='937' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd.log</text></value>		</modes>
	</field>
	<field k='sourcetype' c='150375' nc='0' dc='10' exact='1'>
		<modes>
			<value c='137053' exact='1'><text>splunkd</text></value>			<value c='6682' exact='1'><text>splunkd_access</text></value>			<value c='4656' exact='1'><text>scheduler</text></value>			<value c='1714' exact='1'><text>splunk_web_access</text></value>			<value c='193' exact='1'><text>splunk_web_service</text></value>		</modes>
	</field>
</summary>

search/jobs/{search_id}/timeline GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/timeline --get -d time_format="%c"
XML Response
<timeline c='150397' cursor='1312308000'>
<bucket c='7741' a='7741' t='1312308000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 11:00:00 2011</bucket>
<bucket c='7894' a='7894' t='1312311600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 12:00:00 2011</bucket>
<bucket c='7406' a='7406' t='1312315200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 13:00:00 2011</bucket>
<bucket c='6097' a='6097' t='1312318800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 14:00:00 2011</bucket>
<bucket c='6072' a='6072' t='1312322400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 15:00:00 2011</bucket>
<bucket c='6002' a='6002' t='1312326000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 16:00:00 2011</bucket>
<bucket c='6004' a='6004' t='1312329600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 17:00:00 2011</bucket>
<bucket c='5994' a='5994' t='1312333200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 18:00:00 2011</bucket>
<bucket c='6037' a='6037' t='1312336800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 19:00:00 2011</bucket>
<bucket c='6021' a='6021' t='1312340400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 20:00:00 2011</bucket>
<bucket c='6051' a='6051' t='1312344000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 21:00:00 2011</bucket>
<bucket c='6006' a='6006' t='1312347600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 22:00:00 2011</bucket>
<bucket c='6041' a='6041' t='1312351200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 23:00:00 2011</bucket>
<bucket c='5993' a='5993' t='1312354800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 00:00:00 2011</bucket>
<bucket c='6040' a='6040' t='1312358400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 01:00:00 2011</bucket>
<bucket c='5993' a='5993' t='1312362000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 02:00:00 2011</bucket>
<bucket c='6061' a='6061' t='1312365600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 03:00:00 2011</bucket>
<bucket c='5995' a='5995' t='1312369200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 04:00:00 2011</bucket>
<bucket c='5988' a='5988' t='1312372800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 05:00:00 2011</bucket>
<bucket c='6042' a='6042' t='1312376400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 06:00:00 2011</bucket>
<bucket c='5998' a='5998' t='1312380000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 07:00:00 2011</bucket>
<bucket c='6055' a='6055' t='1312383600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 08:00:00 2011</bucket>
<bucket c='5997' a='5997' t='1312387200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 09:00:00 2011</bucket>
<bucket c='5994' a='5994' t='1312390800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 10:00:00 2011</bucket>
<bucket c='875' a='875' t='1312394400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 11:00:00 2011</bucket>
</timeline>

search/parser GET

JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/parser --get -d output_mode=json -d q="search index=os sourcetype=cpu"
JSON Response
{
	"remoteSearch": "litsearch  | fields  keepcolorder=t \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
	"remoteTimeOrdered": true,
	"eventsSearch": "search ",
	"eventsTimeOrdered": true,
	"eventsStreaming": true,
	"reportsSearch": "",
	"commands": [
		{
			"command": "search",
			"rawargs": "",
			"pipeline": "streaming",
			"args": {
				"search": [""],
			}
			"isGenerating": true,
			"streamType": "SP_STREAM",
		},
	]
}

search/scheduler GET

Request
curl -k -u admin:pass https://localhost:8089/services/search/scheduler
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduler</title>
  <id>https://localhost:8089/services/search/scheduler</id>
  <updated>2015-06-09T13:23:38-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/search/scheduler/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler</title>
    <id>https://localhost:8089/services/search/scheduler/scheduler</id>
    <updated>2015-06-09T13:23:38-07:00</updated>
    <link href="/services/search/scheduler/scheduler" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/search/scheduler/scheduler" rel="list"/>
    <link href="/services/search/scheduler/scheduler" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="saved_searches_disabled">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/scheduler/status POST

XML
Request
curl -ku admin:pass -XPOST https://localhost:8089/services/search/scheduler/status -d disabled=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduler</title>
  <id>https://localhost:8089/services/search/scheduler</id>
  <updated>2015-06-09T13:40:21-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/search/scheduler/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

search/timeparser GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/timeparser --get -d time=-12h -d time=-24h
XML Response
<response>
	<dict>
		<key name="-12h">2011-07-06T21:54:23.000-07:00</key>
		<key name="-24h">2011-07-06T09:54:23.000-07:00</key>
	</dict>
</response>

search/typeahead GET

JSON
JSON Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/typeahead --get -d count=3 -d prefix=source -d output_mode=json
JSON Response
{ "results" : [ { "content" : "source=\"sampledata.zip:./apache1.splunk.com/access_combined.log\"",
        "count" : 9199,
        "operator" : false
      },
      { "content" : "source=\"sampledata.zip:./apache2.splunk.com/access_combined.log\"",
        "count" : 27705,
        "operator" : false
      },
      { "content" : "source=\"sampledata.zip:./apache3.splunk.com/access_combined.log\"",
        "count" : 27888,
        "operator" : false
      }
    ] 
}
PREVIOUS
Search endpoint descriptions
  NEXT
System endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters