Splunk v1.2.4, Aug 24 23

Splunk v1.2.4 published on Thursday, Aug 24, 2023 by Pulumi

splunk.SavedSearches

Explore with Pulumi AI

Splunk v1.2.4 published on Thursday, Aug 24, 2023 by Pulumi

pulumi/pulumi-splunk

# Resource: splunk.SavedSearches

Create and manage saved searches.

Example Usage

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Splunk = Pulumi.Splunk;

return await Deployment.RunAsync(() => 
{
    var savedSearch = new Splunk.SavedSearches("savedSearch", new()
    {
        Acl = new Splunk.Inputs.SavedSearchesAclArgs
        {
            App = "launcher",
            Owner = "admin",
            Sharing = "app",
        },
        ActionEmailFormat = "table",
        ActionEmailMaxResults = 10,
        ActionEmailMaxTime = "5m",
        ActionEmailSendResults = false,
        ActionEmailSubject = "Splunk Alert: $name$",
        ActionEmailTo = "splunk@splunk.com",
        ActionEmailTrackAlert = true,
        Actions = "email",
        CronSchedule = "*/5 * * * *",
        DispatchEarliestTime = "rt-15m",
        DispatchLatestTime = "rt-0m",
        Search = "index=main",
    });

});

package main

import (
	"github.com/pulumi/pulumi-splunk/sdk/go/splunk"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := splunk.NewSavedSearches(ctx, "savedSearch", &splunk.SavedSearchesArgs{
			Acl: &splunk.SavedSearchesAclArgs{
				App:     pulumi.String("launcher"),
				Owner:   pulumi.String("admin"),
				Sharing: pulumi.String("app"),
			},
			ActionEmailFormat:      pulumi.String("table"),
			ActionEmailMaxResults:  pulumi.Int(10),
			ActionEmailMaxTime:     pulumi.String("5m"),
			ActionEmailSendResults: pulumi.Bool(false),
			ActionEmailSubject:     pulumi.String("Splunk Alert: $name$"),
			ActionEmailTo:          pulumi.String("splunk@splunk.com"),
			ActionEmailTrackAlert:  pulumi.Bool(true),
			Actions:                pulumi.String("email"),
			CronSchedule:           pulumi.String("*/5 * * * *"),
			DispatchEarliestTime:   pulumi.String("rt-15m"),
			DispatchLatestTime:     pulumi.String("rt-0m"),
			Search:                 pulumi.String("index=main"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.splunk.SavedSearches;
import com.pulumi.splunk.SavedSearchesArgs;
import com.pulumi.splunk.inputs.SavedSearchesAclArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var savedSearch = new SavedSearches("savedSearch", SavedSearchesArgs.builder()        
            .acl(SavedSearchesAclArgs.builder()
                .app("launcher")
                .owner("admin")
                .sharing("app")
                .build())
            .actionEmailFormat("table")
            .actionEmailMaxResults(10)
            .actionEmailMaxTime("5m")
            .actionEmailSendResults(false)
            .actionEmailSubject("Splunk Alert: $name$")
            .actionEmailTo("splunk@splunk.com")
            .actionEmailTrackAlert(true)
            .actions("email")
            .cronSchedule("*/5 * * * *")
            .dispatchEarliestTime("rt-15m")
            .dispatchLatestTime("rt-0m")
            .search("index=main")
            .build());

    }
}

import pulumi
import pulumi_splunk as splunk

saved_search = splunk.SavedSearches("savedSearch",
    acl=splunk.SavedSearchesAclArgs(
        app="launcher",
        owner="admin",
        sharing="app",
    ),
    action_email_format="table",
    action_email_max_results=10,
    action_email_max_time="5m",
    action_email_send_results=False,
    action_email_subject="Splunk Alert: $name$",
    action_email_to="splunk@splunk.com",
    action_email_track_alert=True,
    actions="email",
    cron_schedule="*/5 * * * *",
    dispatch_earliest_time="rt-15m",
    dispatch_latest_time="rt-0m",
    search="index=main")

import * as pulumi from "@pulumi/pulumi";
import * as splunk from "@pulumi/splunk";

const savedSearch = new splunk.SavedSearches("savedSearch", {
    acl: {
        app: "launcher",
        owner: "admin",
        sharing: "app",
    },
    actionEmailFormat: "table",
    actionEmailMaxResults: 10,
    actionEmailMaxTime: "5m",
    actionEmailSendResults: false,
    actionEmailSubject: "Splunk Alert: $name$",
    actionEmailTo: "splunk@splunk.com",
    actionEmailTrackAlert: true,
    actions: "email",
    cronSchedule: "*/5 * * * *",
    dispatchEarliestTime: "rt-15m",
    dispatchLatestTime: "rt-0m",
    search: "index=main",
});

resources:
  savedSearch:
    type: splunk:SavedSearches
    properties:
      acl:
        app: launcher
        owner: admin
        sharing: app
      actionEmailFormat: table
      actionEmailMaxResults: 10
      actionEmailMaxTime: 5m
      actionEmailSendResults: false
      actionEmailSubject: 'Splunk Alert: $name$'
      actionEmailTo: splunk@splunk.com
      actionEmailTrackAlert: true
      actions: email
      cronSchedule: '*/5 * * * *'
      dispatchEarliestTime: rt-15m
      dispatchLatestTime: rt-0m
      search: index=main

Create SavedSearches Resource

new SavedSearches(name: string, args: SavedSearchesArgs, opts?: CustomResourceOptions);

@overload
def SavedSearches(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  acl: Optional[SavedSearchesAclArgs] = None,
                  action_create_xsoar_incident: Optional[str] = None,
                  action_create_xsoar_incident_param_custom_fields: Optional[str] = None,
                  action_create_xsoar_incident_param_details: Optional[str] = None,
                  action_create_xsoar_incident_param_incident_name: Optional[str] = None,
                  action_create_xsoar_incident_param_occurred: Optional[str] = None,
                  action_create_xsoar_incident_param_send_all_servers: Optional[str] = None,
                  action_create_xsoar_incident_param_server_url: Optional[str] = None,
                  action_create_xsoar_incident_param_severity: Optional[str] = None,
                  action_create_xsoar_incident_param_type: Optional[str] = None,
                  action_email_auth_password: Optional[str] = None,
                  action_email_auth_username: Optional[str] = None,
                  action_email_bcc: Optional[str] = None,
                  action_email_cc: Optional[str] = None,
                  action_email_command: Optional[str] = None,
                  action_email_format: Optional[str] = None,
                  action_email_from: Optional[str] = None,
                  action_email_hostname: Optional[str] = None,
                  action_email_include_results_link: Optional[int] = None,
                  action_email_include_search: Optional[int] = None,
                  action_email_include_trigger: Optional[int] = None,
                  action_email_include_trigger_time: Optional[int] = None,
                  action_email_include_view_link: Optional[int] = None,
                  action_email_inline: Optional[bool] = None,
                  action_email_mailserver: Optional[str] = None,
                  action_email_max_results: Optional[int] = None,
                  action_email_max_time: Optional[str] = None,
                  action_email_message_alert: Optional[str] = None,
                  action_email_message_report: Optional[str] = None,
                  action_email_pdfview: Optional[str] = None,
                  action_email_preprocess_results: Optional[str] = None,
                  action_email_report_cid_font_list: Optional[str] = None,
                  action_email_report_include_splunk_logo: Optional[bool] = None,
                  action_email_report_paper_orientation: Optional[str] = None,
                  action_email_report_paper_size: Optional[str] = None,
                  action_email_report_server_enabled: Optional[bool] = None,
                  action_email_report_server_url: Optional[str] = None,
                  action_email_send_csv: Optional[int] = None,
                  action_email_send_pdf: Optional[bool] = None,
                  action_email_send_results: Optional[bool] = None,
                  action_email_subject: Optional[str] = None,
                  action_email_to: Optional[str] = None,
                  action_email_track_alert: Optional[bool] = None,
                  action_email_ttl: Optional[str] = None,
                  action_email_use_ssl: Optional[bool] = None,
                  action_email_use_tls: Optional[bool] = None,
                  action_email_width_sort_columns: Optional[bool] = None,
                  action_jira_service_desk_param_account: Optional[str] = None,
                  action_jira_service_desk_param_jira_description: Optional[str] = None,
                  action_jira_service_desk_param_jira_issue_type: Optional[str] = None,
                  action_jira_service_desk_param_jira_priority: Optional[str] = None,
                  action_jira_service_desk_param_jira_project: Optional[str] = None,
                  action_jira_service_desk_param_jira_summary: Optional[str] = None,
                  action_pagerduty_custom_details: Optional[str] = None,
                  action_pagerduty_integration_key: Optional[str] = None,
                  action_pagerduty_integration_key_override: Optional[str] = None,
                  action_pagerduty_integration_url: Optional[str] = None,
                  action_pagerduty_integration_url_override: Optional[str] = None,
                  action_populate_lookup_command: Optional[str] = None,
                  action_populate_lookup_dest: Optional[str] = None,
                  action_populate_lookup_hostname: Optional[str] = None,
                  action_populate_lookup_max_results: Optional[int] = None,
                  action_populate_lookup_max_time: Optional[int] = None,
                  action_populate_lookup_track_alert: Optional[bool] = None,
                  action_populate_lookup_ttl: Optional[str] = None,
                  action_rss_command: Optional[str] = None,
                  action_rss_hostname: Optional[str] = None,
                  action_rss_max_results: Optional[int] = None,
                  action_rss_max_time: Optional[int] = None,
                  action_rss_track_alert: Optional[bool] = None,
                  action_rss_ttl: Optional[str] = None,
                  action_script_command: Optional[str] = None,
                  action_script_filename: Optional[str] = None,
                  action_script_hostname: Optional[str] = None,
                  action_script_max_results: Optional[int] = None,
                  action_script_max_time: Optional[int] = None,
                  action_script_track_alert: Optional[bool] = None,
                  action_script_ttl: Optional[str] = None,
                  action_slack_param_attachment: Optional[str] = None,
                  action_slack_param_channel: Optional[str] = None,
                  action_slack_param_fields: Optional[str] = None,
                  action_slack_param_message: Optional[str] = None,
                  action_slack_param_webhook_url_override: Optional[str] = None,
                  action_snow_event_param_account: Optional[str] = None,
                  action_snow_event_param_additional_info: Optional[str] = None,
                  action_snow_event_param_ci_identifier: Optional[str] = None,
                  action_snow_event_param_custom_fields: Optional[str] = None,
                  action_snow_event_param_description: Optional[str] = None,
                  action_snow_event_param_node: Optional[str] = None,
                  action_snow_event_param_resource: Optional[str] = None,
                  action_snow_event_param_severity: Optional[int] = None,
                  action_snow_event_param_type: Optional[str] = None,
                  action_summary_index_command: Optional[str] = None,
                  action_summary_index_hostname: Optional[str] = None,
                  action_summary_index_inline: Optional[bool] = None,
                  action_summary_index_max_results: Optional[int] = None,
                  action_summary_index_max_time: Optional[int] = None,
                  action_summary_index_name: Optional[str] = None,
                  action_summary_index_track_alert: Optional[bool] = None,
                  action_summary_index_ttl: Optional[str] = None,
                  action_webhook_param_url: Optional[str] = None,
                  actions: Optional[str] = None,
                  alert_comparator: Optional[str] = None,
                  alert_condition: Optional[str] = None,
                  alert_digest_mode: Optional[bool] = None,
                  alert_expires: Optional[str] = None,
                  alert_severity: Optional[int] = None,
                  alert_suppress: Optional[bool] = None,
                  alert_suppress_fields: Optional[str] = None,
                  alert_suppress_period: Optional[str] = None,
                  alert_threshold: Optional[str] = None,
                  alert_track: Optional[bool] = None,
                  alert_type: Optional[str] = None,
                  allow_skew: Optional[str] = None,
                  auto_summarize: Optional[bool] = None,
                  auto_summarize_command: Optional[str] = None,
                  auto_summarize_cron_schedule: Optional[str] = None,
                  auto_summarize_dispatch_earliest_time: Optional[str] = None,
                  auto_summarize_dispatch_latest_time: Optional[str] = None,
                  auto_summarize_dispatch_time_format: Optional[str] = None,
                  auto_summarize_dispatch_ttl: Optional[str] = None,
                  auto_summarize_max_disabled_buckets: Optional[int] = None,
                  auto_summarize_max_summary_ratio: Optional[float] = None,
                  auto_summarize_max_summary_size: Optional[int] = None,
                  auto_summarize_max_time: Optional[int] = None,
                  auto_summarize_suspend_period: Optional[str] = None,
                  auto_summarize_timespan: Optional[str] = None,
                  cron_schedule: Optional[str] = None,
                  description: Optional[str] = None,
                  disabled: Optional[bool] = None,
                  dispatch_buckets: Optional[int] = None,
                  dispatch_earliest_time: Optional[str] = None,
                  dispatch_index_earliest: Optional[str] = None,
                  dispatch_index_latest: Optional[str] = None,
                  dispatch_indexed_realtime: Optional[bool] = None,
                  dispatch_indexed_realtime_minspan: Optional[int] = None,
                  dispatch_indexed_realtime_offset: Optional[int] = None,
                  dispatch_latest_time: Optional[str] = None,
                  dispatch_lookups: Optional[bool] = None,
                  dispatch_max_count: Optional[int] = None,
                  dispatch_max_time: Optional[int] = None,
                  dispatch_reduce_freq: Optional[int] = None,
                  dispatch_rt_backfill: Optional[bool] = None,
                  dispatch_rt_maximum_span: Optional[int] = None,
                  dispatch_spawn_process: Optional[bool] = None,
                  dispatch_time_format: Optional[str] = None,
                  dispatch_ttl: Optional[str] = None,
                  display_view: Optional[str] = None,
                  is_scheduled: Optional[bool] = None,
                  is_visible: Optional[bool] = None,
                  max_concurrent: Optional[int] = None,
                  name: Optional[str] = None,
                  realtime_schedule: Optional[bool] = None,
                  request_ui_dispatch_app: Optional[str] = None,
                  request_ui_dispatch_view: Optional[str] = None,
                  restart_on_searchpeer_add: Optional[bool] = None,
                  run_on_startup: Optional[bool] = None,
                  schedule_priority: Optional[str] = None,
                  schedule_window: Optional[str] = None,
                  search: Optional[str] = None,
                  vsid: Optional[str] = None,
                  workload_pool: Optional[str] = None)
@overload
def SavedSearches(resource_name: str,
                  args: SavedSearchesArgs,
                  opts: Optional[ResourceOptions] = None)

func NewSavedSearches(ctx *Context, name string, args SavedSearchesArgs, opts ...ResourceOption) (*SavedSearches, error)

public SavedSearches(string name, SavedSearchesArgs args, CustomResourceOptions? opts = null)

public SavedSearches(String name, SavedSearchesArgs args)
public SavedSearches(String name, SavedSearchesArgs args, CustomResourceOptions options)

type: splunk:SavedSearches
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SavedSearchesArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SavedSearchesArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SavedSearchesArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SavedSearchesArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SavedSearchesArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

SavedSearches Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SavedSearches resource accepts the following input properties:

Search string: Required when creating a new search.
Acl SavedSearchesAcl: The app/user context that is the namespace for the resource
ActionCreateXsoarIncident string: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
ActionCreateXsoarIncidentParamCustomFields string: XSOAR custom incident fields (should be a comma separated list)
ActionCreateXsoarIncidentParamDetails string: XSOAR incident description
ActionCreateXsoarIncidentParamIncidentName string: XSOAR incident name
ActionCreateXsoarIncidentParamOccurred string: XSOAR incident time
ActionCreateXsoarIncidentParamSendAllServers string: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
ActionCreateXsoarIncidentParamServerUrl string: XSOAR Server instance URL (Should start with https:// || http://)
ActionCreateXsoarIncidentParamSeverity string: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
ActionCreateXsoarIncidentParamType string: XSOAR incident type
ActionEmailAuthPassword string: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
ActionEmailAuthUsername string: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
ActionEmailBcc string: BCC email address to use if action.email is enabled.
ActionEmailCc string: CC email address to use if action.email is enabled.
ActionEmailCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionEmailFormat string: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
ActionEmailFrom string: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
ActionEmailHostname string: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
ActionEmailIncludeResultsLink int: Specify whether to include a link to the results. Defaults to 0.
ActionEmailIncludeSearch int: Specify whether to include the search that caused an email to be sent. Defaults to 0.
ActionEmailIncludeTrigger int: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
ActionEmailIncludeTriggerTime int: Specify whether to show the time that the alert was fired. Defaults to 0.
ActionEmailIncludeViewLink int: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
ActionEmailInline bool: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
ActionEmailMailserver string: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
ActionEmailMaxResults int: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
ActionEmailMaxTime string: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
ActionEmailMessageAlert string: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
ActionEmailMessageReport string: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
ActionEmailPdfview string: The name of the view to deliver if sendpdf is enabled
ActionEmailPreprocessResults string: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
ActionEmailReportCidFontList string: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
ActionEmailReportIncludeSplunkLogo bool: Indicates whether to include the Splunk logo with the report.
ActionEmailReportPaperOrientation string: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
ActionEmailReportPaperSize string: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
ActionEmailReportServerEnabled bool: No Supported
ActionEmailReportServerUrl string: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
ActionEmailSendCsv int: Specify whether to send results as a CSV file. Defaults to 0.
ActionEmailSendPdf bool: Indicates whether to create and send the results as a PDF. Defaults to false.
ActionEmailSendResults bool: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
ActionEmailSubject string: Specifies an alternate email subject.Defaults to SplunkAlert-.
ActionEmailTo string: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
ActionEmailTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionEmailTtl string: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
ActionEmailUseSsl bool: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
ActionEmailUseTls bool: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
ActionEmailWidthSortColumns bool: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
ActionJiraServiceDeskParamAccount string: Jira Service Desk account name
ActionJiraServiceDeskParamJiraDescription string: Jira issue description
ActionJiraServiceDeskParamJiraIssueType string: Jira issue type name
ActionJiraServiceDeskParamJiraPriority string: Jira priority of issue
ActionJiraServiceDeskParamJiraProject string: Jira Project name
ActionJiraServiceDeskParamJiraSummary string: Jira issue title/summary
ActionPagerdutyCustomDetails string: The PagerDuty custom details information.
ActionPagerdutyIntegrationKey string: The PagerDuty integration Key.
ActionPagerdutyIntegrationKeyOverride string: The PagerDuty integration Key override.
ActionPagerdutyIntegrationUrl string: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPagerdutyIntegrationUrlOverride string: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPopulateLookupCommand string: The search command (or pipeline) which is responsible for executing the action.
ActionPopulateLookupDest string: Lookup name of path of the lookup to populate
ActionPopulateLookupHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionPopulateLookupMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionPopulateLookupMaxTime int: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
ActionPopulateLookupTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionPopulateLookupTtl string: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
ActionRssCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionRssHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionRssMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionRssMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionRssTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionRssTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionScriptCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionScriptFilename string: File name of the script to call. Required if script action is enabled
ActionScriptHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionScriptMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionScriptMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionScriptTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionScriptTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionSlackParamAttachment string: Include a message attachment. Valid values are message, none, or alert_link
ActionSlackParamChannel string: Slack channel to send the message to (Should start with # or @)
ActionSlackParamFields string: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
ActionSlackParamMessage string: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
ActionSlackParamWebhookUrlOverride string: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
ActionSnowEventParamAccount string: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
ActionSnowEventParamAdditionalInfo string: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
ActionSnowEventParamCiIdentifier string: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
ActionSnowEventParamCustomFields string: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
ActionSnowEventParamDescription string: A brief description of the event.
ActionSnowEventParamNode string: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
ActionSnowEventParamResource string: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
ActionSnowEventParamSeverity int: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
ActionSnowEventParamType string: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
ActionSummaryIndexCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionSummaryIndexHostname string: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionSummaryIndexInline bool: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
ActionSummaryIndexMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionSummaryIndexMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionSummaryIndexName string: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
ActionSummaryIndexTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionSummaryIndexTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionWebhookParamUrl string: URL to send the HTTP POST request to. Must be accessible from the Splunk server
Actions string: A comma-separated list of actions to enable. For example: rss,email
AlertComparator string: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
AlertCondition string: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
AlertDigestMode bool: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
AlertExpires string: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertSeverity int: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
AlertSuppress bool: Indicates whether alert suppression is enabled for this scheduled search.
AlertSuppressFields string: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
AlertSuppressPeriod string: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertThreshold string: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
AlertTrack bool: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
AlertType string: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
AllowSkew string: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
AutoSummarize bool: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
AutoSummarizeCommand string: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
AutoSummarizeCronSchedule string: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
AutoSummarizeDispatchEarliestTime string: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchLatestTime string: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchTimeFormat string: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
AutoSummarizeDispatchTtl string: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
AutoSummarizeMaxDisabledBuckets int: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
AutoSummarizeMaxSummaryRatio double: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
AutoSummarizeMaxSummarySize int: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
AutoSummarizeMaxTime int: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
AutoSummarizeSuspendPeriod string: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
AutoSummarizeTimespan string: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
CronSchedule string: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
Description string: Human-readable description of this saved search. Defaults to empty string.
Disabled bool: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
DispatchBuckets int: The maximum number of timeline buckets. Defaults to 0.
DispatchEarliestTime string: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexEarliest string: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexLatest string: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtime bool: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtimeMinspan int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchIndexedRealtimeOffset int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchLatestTime string: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchLookups bool: Enables or disables the lookups for this search. Defaults to 1.
DispatchMaxCount int: The maximum number of results before finalizing the search. Defaults to 500000.
DispatchMaxTime int: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
DispatchReduceFreq int: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
DispatchRtBackfill bool: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
DispatchRtMaximumSpan int: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
DispatchSpawnProcess bool: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
DispatchTimeFormat string: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
DispatchTtl string: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
DisplayView string: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
IsScheduled bool: Whether this search is to be run on a schedule
IsVisible bool: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
MaxConcurrent int: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
Name string: A name for the search.
RealtimeSchedule bool: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
RequestUiDispatchApp string: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
RequestUiDispatchView string: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
RestartOnSearchpeerAdd bool: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
RunOnStartup bool: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
SchedulePriority string: Raises the scheduling priority of the named search. Defaults to Default
ScheduleWindow string: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
Vsid string: Defines the viewstate id associated with the UI view listed in 'displayview'.
WorkloadPool string: Specifies the new workload pool where the existing running search will be placed.`

Search string: Required when creating a new search.
Acl SavedSearchesAclArgs: The app/user context that is the namespace for the resource
ActionCreateXsoarIncident string: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
ActionCreateXsoarIncidentParamCustomFields string: XSOAR custom incident fields (should be a comma separated list)
ActionCreateXsoarIncidentParamDetails string: XSOAR incident description
ActionCreateXsoarIncidentParamIncidentName string: XSOAR incident name
ActionCreateXsoarIncidentParamOccurred string: XSOAR incident time
ActionCreateXsoarIncidentParamSendAllServers string: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
ActionCreateXsoarIncidentParamServerUrl string: XSOAR Server instance URL (Should start with https:// || http://)
ActionCreateXsoarIncidentParamSeverity string: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
ActionCreateXsoarIncidentParamType string: XSOAR incident type
ActionEmailAuthPassword string: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
ActionEmailAuthUsername string: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
ActionEmailBcc string: BCC email address to use if action.email is enabled.
ActionEmailCc string: CC email address to use if action.email is enabled.
ActionEmailCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionEmailFormat string: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
ActionEmailFrom string: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
ActionEmailHostname string: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
ActionEmailIncludeResultsLink int: Specify whether to include a link to the results. Defaults to 0.
ActionEmailIncludeSearch int: Specify whether to include the search that caused an email to be sent. Defaults to 0.
ActionEmailIncludeTrigger int: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
ActionEmailIncludeTriggerTime int: Specify whether to show the time that the alert was fired. Defaults to 0.
ActionEmailIncludeViewLink int: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
ActionEmailInline bool: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
ActionEmailMailserver string: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
ActionEmailMaxResults int: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
ActionEmailMaxTime string: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
ActionEmailMessageAlert string: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
ActionEmailMessageReport string: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
ActionEmailPdfview string: The name of the view to deliver if sendpdf is enabled
ActionEmailPreprocessResults string: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
ActionEmailReportCidFontList string: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
ActionEmailReportIncludeSplunkLogo bool: Indicates whether to include the Splunk logo with the report.
ActionEmailReportPaperOrientation string: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
ActionEmailReportPaperSize string: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
ActionEmailReportServerEnabled bool: No Supported
ActionEmailReportServerUrl string: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
ActionEmailSendCsv int: Specify whether to send results as a CSV file. Defaults to 0.
ActionEmailSendPdf bool: Indicates whether to create and send the results as a PDF. Defaults to false.
ActionEmailSendResults bool: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
ActionEmailSubject string: Specifies an alternate email subject.Defaults to SplunkAlert-.
ActionEmailTo string: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
ActionEmailTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionEmailTtl string: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
ActionEmailUseSsl bool: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
ActionEmailUseTls bool: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
ActionEmailWidthSortColumns bool: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
ActionJiraServiceDeskParamAccount string: Jira Service Desk account name
ActionJiraServiceDeskParamJiraDescription string: Jira issue description
ActionJiraServiceDeskParamJiraIssueType string: Jira issue type name
ActionJiraServiceDeskParamJiraPriority string: Jira priority of issue
ActionJiraServiceDeskParamJiraProject string: Jira Project name
ActionJiraServiceDeskParamJiraSummary string: Jira issue title/summary
ActionPagerdutyCustomDetails string: The PagerDuty custom details information.
ActionPagerdutyIntegrationKey string: The PagerDuty integration Key.
ActionPagerdutyIntegrationKeyOverride string: The PagerDuty integration Key override.
ActionPagerdutyIntegrationUrl string: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPagerdutyIntegrationUrlOverride string: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPopulateLookupCommand string: The search command (or pipeline) which is responsible for executing the action.
ActionPopulateLookupDest string: Lookup name of path of the lookup to populate
ActionPopulateLookupHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionPopulateLookupMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionPopulateLookupMaxTime int: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
ActionPopulateLookupTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionPopulateLookupTtl string: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
ActionRssCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionRssHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionRssMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionRssMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionRssTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionRssTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionScriptCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionScriptFilename string: File name of the script to call. Required if script action is enabled
ActionScriptHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionScriptMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionScriptMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionScriptTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionScriptTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionSlackParamAttachment string: Include a message attachment. Valid values are message, none, or alert_link
ActionSlackParamChannel string: Slack channel to send the message to (Should start with # or @)
ActionSlackParamFields string: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
ActionSlackParamMessage string: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
ActionSlackParamWebhookUrlOverride string: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
ActionSnowEventParamAccount string: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
ActionSnowEventParamAdditionalInfo string: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
ActionSnowEventParamCiIdentifier string: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
ActionSnowEventParamCustomFields string: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
ActionSnowEventParamDescription string: A brief description of the event.
ActionSnowEventParamNode string: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
ActionSnowEventParamResource string: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
ActionSnowEventParamSeverity int: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
ActionSnowEventParamType string: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
ActionSummaryIndexCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionSummaryIndexHostname string: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionSummaryIndexInline bool: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
ActionSummaryIndexMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionSummaryIndexMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionSummaryIndexName string: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
ActionSummaryIndexTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionSummaryIndexTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionWebhookParamUrl string: URL to send the HTTP POST request to. Must be accessible from the Splunk server
Actions string: A comma-separated list of actions to enable. For example: rss,email
AlertComparator string: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
AlertCondition string: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
AlertDigestMode bool: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
AlertExpires string: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertSeverity int: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
AlertSuppress bool: Indicates whether alert suppression is enabled for this scheduled search.
AlertSuppressFields string: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
AlertSuppressPeriod string: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertThreshold string: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
AlertTrack bool: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
AlertType string: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
AllowSkew string: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
AutoSummarize bool: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
AutoSummarizeCommand string: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
AutoSummarizeCronSchedule string: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
AutoSummarizeDispatchEarliestTime string: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchLatestTime string: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchTimeFormat string: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
AutoSummarizeDispatchTtl string: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
AutoSummarizeMaxDisabledBuckets int: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
AutoSummarizeMaxSummaryRatio float64: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
AutoSummarizeMaxSummarySize int: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
AutoSummarizeMaxTime int: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
AutoSummarizeSuspendPeriod string: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
AutoSummarizeTimespan string: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
CronSchedule string: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
Description string: Human-readable description of this saved search. Defaults to empty string.
Disabled bool: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
DispatchBuckets int: The maximum number of timeline buckets. Defaults to 0.
DispatchEarliestTime string: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexEarliest string: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexLatest string: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtime bool: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtimeMinspan int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchIndexedRealtimeOffset int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchLatestTime string: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchLookups bool: Enables or disables the lookups for this search. Defaults to 1.
DispatchMaxCount int: The maximum number of results before finalizing the search. Defaults to 500000.
DispatchMaxTime int: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
DispatchReduceFreq int: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
DispatchRtBackfill bool: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
DispatchRtMaximumSpan int: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
DispatchSpawnProcess bool: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
DispatchTimeFormat string: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
DispatchTtl string: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
DisplayView string: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
IsScheduled bool: Whether this search is to be run on a schedule
IsVisible bool: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
MaxConcurrent int: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
Name string: A name for the search.
RealtimeSchedule bool: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
RequestUiDispatchApp string: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
RequestUiDispatchView string: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
RestartOnSearchpeerAdd bool: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
RunOnStartup bool: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
SchedulePriority string: Raises the scheduling priority of the named search. Defaults to Default
ScheduleWindow string: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
Vsid string: Defines the viewstate id associated with the UI view listed in 'displayview'.
WorkloadPool string: Specifies the new workload pool where the existing running search will be placed.`

search String: Required when creating a new search.
acl SavedSearchesAcl: The app/user context that is the namespace for the resource
actionCreateXsoarIncident String: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
actionCreateXsoarIncidentParamCustomFields String: XSOAR custom incident fields (should be a comma separated list)
actionCreateXsoarIncidentParamDetails String: XSOAR incident description
actionCreateXsoarIncidentParamIncidentName String: XSOAR incident name
actionCreateXsoarIncidentParamOccurred String: XSOAR incident time
actionCreateXsoarIncidentParamSendAllServers String: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
actionCreateXsoarIncidentParamServerUrl String: XSOAR Server instance URL (Should start with https:// || http://)
actionCreateXsoarIncidentParamSeverity String: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
actionCreateXsoarIncidentParamType String: XSOAR incident type
actionEmailAuthPassword String: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
actionEmailAuthUsername String: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
actionEmailBcc String: BCC email address to use if action.email is enabled.
actionEmailCc String: CC email address to use if action.email is enabled.
actionEmailCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionEmailFormat String: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
actionEmailFrom String: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
actionEmailHostname String: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
actionEmailIncludeResultsLink Integer: Specify whether to include a link to the results. Defaults to 0.
actionEmailIncludeSearch Integer: Specify whether to include the search that caused an email to be sent. Defaults to 0.
actionEmailIncludeTrigger Integer: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
actionEmailIncludeTriggerTime Integer: Specify whether to show the time that the alert was fired. Defaults to 0.
actionEmailIncludeViewLink Integer: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
actionEmailInline Boolean: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
actionEmailMailserver String: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
actionEmailMaxResults Integer: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
actionEmailMaxTime String: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
actionEmailMessageAlert String: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
actionEmailMessageReport String: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
actionEmailPdfview String: The name of the view to deliver if sendpdf is enabled
actionEmailPreprocessResults String: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
actionEmailReportCidFontList String: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
actionEmailReportIncludeSplunkLogo Boolean: Indicates whether to include the Splunk logo with the report.
actionEmailReportPaperOrientation String: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
actionEmailReportPaperSize String: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
actionEmailReportServerEnabled Boolean: No Supported
actionEmailReportServerUrl String: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
actionEmailSendCsv Integer: Specify whether to send results as a CSV file. Defaults to 0.
actionEmailSendPdf Boolean: Indicates whether to create and send the results as a PDF. Defaults to false.
actionEmailSendResults Boolean: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
actionEmailSubject String: Specifies an alternate email subject.Defaults to SplunkAlert-.
actionEmailTo String: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
actionEmailTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionEmailTtl String: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
actionEmailUseSsl Boolean: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
actionEmailUseTls Boolean: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
actionEmailWidthSortColumns Boolean: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
actionJiraServiceDeskParamAccount String: Jira Service Desk account name
actionJiraServiceDeskParamJiraDescription String: Jira issue description
actionJiraServiceDeskParamJiraIssueType String: Jira issue type name
actionJiraServiceDeskParamJiraPriority String: Jira priority of issue
actionJiraServiceDeskParamJiraProject String: Jira Project name
actionJiraServiceDeskParamJiraSummary String: Jira issue title/summary
actionPagerdutyCustomDetails String: The PagerDuty custom details information.
actionPagerdutyIntegrationKey String: The PagerDuty integration Key.
actionPagerdutyIntegrationKeyOverride String: The PagerDuty integration Key override.
actionPagerdutyIntegrationUrl String: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPagerdutyIntegrationUrlOverride String: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPopulateLookupCommand String: The search command (or pipeline) which is responsible for executing the action.
actionPopulateLookupDest String: Lookup name of path of the lookup to populate
actionPopulateLookupHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionPopulateLookupMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionPopulateLookupMaxTime Integer: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
actionPopulateLookupTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionPopulateLookupTtl String: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
actionRssCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionRssHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionRssMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionRssMaxTime Integer: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionRssTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionRssTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionScriptCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionScriptFilename String: File name of the script to call. Required if script action is enabled
actionScriptHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionScriptMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionScriptMaxTime Integer: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionScriptTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionScriptTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionSlackParamAttachment String: Include a message attachment. Valid values are message, none, or alert_link
actionSlackParamChannel String: Slack channel to send the message to (Should start with # or @)
actionSlackParamFields String: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
actionSlackParamMessage String: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
actionSlackParamWebhookUrlOverride String: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
actionSnowEventParamAccount String: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
actionSnowEventParamAdditionalInfo String: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
actionSnowEventParamCiIdentifier String: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
actionSnowEventParamCustomFields String: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
actionSnowEventParamDescription String: A brief description of the event.
actionSnowEventParamNode String: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
actionSnowEventParamResource String: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
actionSnowEventParamSeverity Integer: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
actionSnowEventParamType String: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
actionSummaryIndexCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionSummaryIndexHostname String: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionSummaryIndexInline Boolean: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
actionSummaryIndexMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionSummaryIndexMaxTime Integer: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionSummaryIndexName String: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
actionSummaryIndexTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionSummaryIndexTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionWebhookParamUrl String: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions String: A comma-separated list of actions to enable. For example: rss,email
alertComparator String: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alertCondition String: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alertDigestMode Boolean: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alertExpires String: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertSeverity Integer: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alertSuppress Boolean: Indicates whether alert suppression is enabled for this scheduled search.
alertSuppressFields String: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alertSuppressPeriod String: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertThreshold String: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alertTrack Boolean: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alertType String: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allowSkew String: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
autoSummarize Boolean: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
autoSummarizeCommand String: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
autoSummarizeCronSchedule String: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
autoSummarizeDispatchEarliestTime String: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchLatestTime String: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchTimeFormat String: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
autoSummarizeDispatchTtl String: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
autoSummarizeMaxDisabledBuckets Integer: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
autoSummarizeMaxSummaryRatio Double: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
autoSummarizeMaxSummarySize Integer: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
autoSummarizeMaxTime Integer: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
autoSummarizeSuspendPeriod String: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
autoSummarizeTimespan String: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cronSchedule String: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description String: Human-readable description of this saved search. Defaults to empty string.
disabled Boolean: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatchBuckets Integer: The maximum number of timeline buckets. Defaults to 0.
dispatchEarliestTime String: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexEarliest String: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexLatest String: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtime Boolean: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtimeMinspan Integer: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchIndexedRealtimeOffset Integer: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchLatestTime String: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchLookups Boolean: Enables or disables the lookups for this search. Defaults to 1.
dispatchMaxCount Integer: The maximum number of results before finalizing the search. Defaults to 500000.
dispatchMaxTime Integer: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatchReduceFreq Integer: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatchRtBackfill Boolean: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatchRtMaximumSpan Integer: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
dispatchSpawnProcess Boolean: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
dispatchTimeFormat String: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
dispatchTtl String: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
displayView String: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
isScheduled Boolean: Whether this search is to be run on a schedule
isVisible Boolean: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
maxConcurrent Integer: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
name String: A name for the search.
realtimeSchedule Boolean: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
requestUiDispatchApp String: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
requestUiDispatchView String: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restartOnSearchpeerAdd Boolean: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
runOnStartup Boolean: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
schedulePriority String: Raises the scheduling priority of the named search. Defaults to Default
scheduleWindow String: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
vsid String: Defines the viewstate id associated with the UI view listed in 'displayview'.
workloadPool String: Specifies the new workload pool where the existing running search will be placed.`

search string: Required when creating a new search.
acl SavedSearchesAcl: The app/user context that is the namespace for the resource
actionCreateXsoarIncident string: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
actionCreateXsoarIncidentParamCustomFields string: XSOAR custom incident fields (should be a comma separated list)
actionCreateXsoarIncidentParamDetails string: XSOAR incident description
actionCreateXsoarIncidentParamIncidentName string: XSOAR incident name
actionCreateXsoarIncidentParamOccurred string: XSOAR incident time
actionCreateXsoarIncidentParamSendAllServers string: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
actionCreateXsoarIncidentParamServerUrl string: XSOAR Server instance URL (Should start with https:// || http://)
actionCreateXsoarIncidentParamSeverity string: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
actionCreateXsoarIncidentParamType string: XSOAR incident type
actionEmailAuthPassword string: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
actionEmailAuthUsername string: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
actionEmailBcc string: BCC email address to use if action.email is enabled.
actionEmailCc string: CC email address to use if action.email is enabled.
actionEmailCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionEmailFormat string: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
actionEmailFrom string: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
actionEmailHostname string: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
actionEmailIncludeResultsLink number: Specify whether to include a link to the results. Defaults to 0.
actionEmailIncludeSearch number: Specify whether to include the search that caused an email to be sent. Defaults to 0.
actionEmailIncludeTrigger number: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
actionEmailIncludeTriggerTime number: Specify whether to show the time that the alert was fired. Defaults to 0.
actionEmailIncludeViewLink number: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
actionEmailInline boolean: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
actionEmailMailserver string: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
actionEmailMaxResults number: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
actionEmailMaxTime string: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
actionEmailMessageAlert string: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
actionEmailMessageReport string: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
actionEmailPdfview string: The name of the view to deliver if sendpdf is enabled
actionEmailPreprocessResults string: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
actionEmailReportCidFontList string: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
actionEmailReportIncludeSplunkLogo boolean: Indicates whether to include the Splunk logo with the report.
actionEmailReportPaperOrientation string: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
actionEmailReportPaperSize string: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
actionEmailReportServerEnabled boolean: No Supported
actionEmailReportServerUrl string: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
actionEmailSendCsv number: Specify whether to send results as a CSV file. Defaults to 0.
actionEmailSendPdf boolean: Indicates whether to create and send the results as a PDF. Defaults to false.
actionEmailSendResults boolean: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
actionEmailSubject string: Specifies an alternate email subject.Defaults to SplunkAlert-.
actionEmailTo string: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
actionEmailTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionEmailTtl string: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
actionEmailUseSsl boolean: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
actionEmailUseTls boolean: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
actionEmailWidthSortColumns boolean: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
actionJiraServiceDeskParamAccount string: Jira Service Desk account name
actionJiraServiceDeskParamJiraDescription string: Jira issue description
actionJiraServiceDeskParamJiraIssueType string: Jira issue type name
actionJiraServiceDeskParamJiraPriority string: Jira priority of issue
actionJiraServiceDeskParamJiraProject string: Jira Project name
actionJiraServiceDeskParamJiraSummary string: Jira issue title/summary
actionPagerdutyCustomDetails string: The PagerDuty custom details information.
actionPagerdutyIntegrationKey string: The PagerDuty integration Key.
actionPagerdutyIntegrationKeyOverride string: The PagerDuty integration Key override.
actionPagerdutyIntegrationUrl string: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPagerdutyIntegrationUrlOverride string: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPopulateLookupCommand string: The search command (or pipeline) which is responsible for executing the action.
actionPopulateLookupDest string: Lookup name of path of the lookup to populate
actionPopulateLookupHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionPopulateLookupMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionPopulateLookupMaxTime number: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
actionPopulateLookupTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionPopulateLookupTtl string: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
actionRssCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionRssHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionRssMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionRssMaxTime number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionRssTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionRssTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionScriptCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionScriptFilename string: File name of the script to call. Required if script action is enabled
actionScriptHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionScriptMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionScriptMaxTime number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionScriptTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionScriptTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionSlackParamAttachment string: Include a message attachment. Valid values are message, none, or alert_link
actionSlackParamChannel string: Slack channel to send the message to (Should start with # or @)
actionSlackParamFields string: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
actionSlackParamMessage string: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
actionSlackParamWebhookUrlOverride string: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
actionSnowEventParamAccount string: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
actionSnowEventParamAdditionalInfo string: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
actionSnowEventParamCiIdentifier string: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
actionSnowEventParamCustomFields string: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
actionSnowEventParamDescription string: A brief description of the event.
actionSnowEventParamNode string: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
actionSnowEventParamResource string: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
actionSnowEventParamSeverity number: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
actionSnowEventParamType string: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
actionSummaryIndexCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionSummaryIndexHostname string: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionSummaryIndexInline boolean: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
actionSummaryIndexMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionSummaryIndexMaxTime number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionSummaryIndexName string: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
actionSummaryIndexTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionSummaryIndexTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionWebhookParamUrl string: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions string: A comma-separated list of actions to enable. For example: rss,email
alertComparator string: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alertCondition string: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alertDigestMode boolean: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alertExpires string: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertSeverity number: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alertSuppress boolean: Indicates whether alert suppression is enabled for this scheduled search.
alertSuppressFields string: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alertSuppressPeriod string: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertThreshold string: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alertTrack boolean: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alertType string: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allowSkew string: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
autoSummarize boolean: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
autoSummarizeCommand string: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
autoSummarizeCronSchedule string: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
autoSummarizeDispatchEarliestTime string: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchLatestTime string: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchTimeFormat string: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
autoSummarizeDispatchTtl string: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
autoSummarizeMaxDisabledBuckets number: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
autoSummarizeMaxSummaryRatio number: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
autoSummarizeMaxSummarySize number: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
autoSummarizeMaxTime number: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
autoSummarizeSuspendPeriod string: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
autoSummarizeTimespan string: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cronSchedule string: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description string: Human-readable description of this saved search. Defaults to empty string.
disabled boolean: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatchBuckets number: The maximum number of timeline buckets. Defaults to 0.
dispatchEarliestTime string: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexEarliest string: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexLatest string: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtime boolean: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtimeMinspan number: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchIndexedRealtimeOffset number: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchLatestTime string: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchLookups boolean: Enables or disables the lookups for this search. Defaults to 1.
dispatchMaxCount number: The maximum number of results before finalizing the search. Defaults to 500000.
dispatchMaxTime number: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatchReduceFreq number: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatchRtBackfill boolean: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatchRtMaximumSpan number: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
dispatchSpawnProcess boolean: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
dispatchTimeFormat string: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
dispatchTtl string: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
displayView string: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
isScheduled boolean: Whether this search is to be run on a schedule
isVisible boolean: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
maxConcurrent number: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
name string: A name for the search.
realtimeSchedule boolean: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
requestUiDispatchApp string: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
requestUiDispatchView string: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restartOnSearchpeerAdd boolean: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
runOnStartup boolean: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
schedulePriority string: Raises the scheduling priority of the named search. Defaults to Default
scheduleWindow string: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
vsid string: Defines the viewstate id associated with the UI view listed in 'displayview'.
workloadPool string: Specifies the new workload pool where the existing running search will be placed.`

search str: Required when creating a new search.
acl SavedSearchesAclArgs: The app/user context that is the namespace for the resource
action_create_xsoar_incident str: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
action_create_xsoar_incident_param_custom_fields str: XSOAR custom incident fields (should be a comma separated list)
action_create_xsoar_incident_param_details str: XSOAR incident description
action_create_xsoar_incident_param_incident_name str: XSOAR incident name
action_create_xsoar_incident_param_occurred str: XSOAR incident time
action_create_xsoar_incident_param_send_all_servers str: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
action_create_xsoar_incident_param_server_url str: XSOAR Server instance URL (Should start with https:// || http://)
action_create_xsoar_incident_param_severity str: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
action_create_xsoar_incident_param_type str: XSOAR incident type
action_email_auth_password str: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
action_email_auth_username str: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
action_email_bcc str: BCC email address to use if action.email is enabled.
action_email_cc str: CC email address to use if action.email is enabled.
action_email_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_email_format str: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
action_email_from str: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
action_email_hostname str: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
action_email_include_results_link int: Specify whether to include a link to the results. Defaults to 0.
action_email_include_search int: Specify whether to include the search that caused an email to be sent. Defaults to 0.
action_email_include_trigger int: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
action_email_include_trigger_time int: Specify whether to show the time that the alert was fired. Defaults to 0.
action_email_include_view_link int: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
action_email_inline bool: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
action_email_mailserver str: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
action_email_max_results int: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
action_email_max_time str: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
action_email_message_alert str: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
action_email_message_report str: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
action_email_pdfview str: The name of the view to deliver if sendpdf is enabled
action_email_preprocess_results str: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
action_email_report_cid_font_list str: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
action_email_report_include_splunk_logo bool: Indicates whether to include the Splunk logo with the report.
action_email_report_paper_orientation str: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
action_email_report_paper_size str: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
action_email_report_server_enabled bool: No Supported
action_email_report_server_url str: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
action_email_send_csv int: Specify whether to send results as a CSV file. Defaults to 0.
action_email_send_pdf bool: Indicates whether to create and send the results as a PDF. Defaults to false.
action_email_send_results bool: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
action_email_subject str: Specifies an alternate email subject.Defaults to SplunkAlert-.
action_email_to str: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action_email_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_email_ttl str: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
action_email_use_ssl bool: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
action_email_use_tls bool: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
action_email_width_sort_columns bool: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
action_jira_service_desk_param_account str: Jira Service Desk account name
action_jira_service_desk_param_jira_description str: Jira issue description
action_jira_service_desk_param_jira_issue_type str: Jira issue type name
action_jira_service_desk_param_jira_priority str: Jira priority of issue
action_jira_service_desk_param_jira_project str: Jira Project name
action_jira_service_desk_param_jira_summary str: Jira issue title/summary
action_pagerduty_custom_details str: The PagerDuty custom details information.
action_pagerduty_integration_key str: The PagerDuty integration Key.
action_pagerduty_integration_key_override str: The PagerDuty integration Key override.
action_pagerduty_integration_url str: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
action_pagerduty_integration_url_override str: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
action_populate_lookup_command str: The search command (or pipeline) which is responsible for executing the action.
action_populate_lookup_dest str: Lookup name of path of the lookup to populate
action_populate_lookup_hostname str: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_populate_lookup_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_populate_lookup_max_time int: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
action_populate_lookup_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_populate_lookup_ttl str: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
action_rss_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_rss_hostname str: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_rss_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_rss_max_time int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action_rss_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_rss_ttl str: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
action_script_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_script_filename str: File name of the script to call. Required if script action is enabled
action_script_hostname str: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_script_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_script_max_time int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action_script_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_script_ttl str: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
action_slack_param_attachment str: Include a message attachment. Valid values are message, none, or alert_link
action_slack_param_channel str: Slack channel to send the message to (Should start with # or @)
action_slack_param_fields str: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
action_slack_param_message str: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
action_slack_param_webhook_url_override str: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
action_snow_event_param_account str: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
action_snow_event_param_additional_info str: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
action_snow_event_param_ci_identifier str: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
action_snow_event_param_custom_fields str: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
action_snow_event_param_description str: A brief description of the event.
action_snow_event_param_node str: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
action_snow_event_param_resource str: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
action_snow_event_param_severity int: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
action_snow_event_param_type str: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
action_summary_index_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_summary_index_hostname str: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_summary_index_inline bool: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
action_summary_index_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_summary_index_max_time int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action_summary_index_name str: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
action_summary_index_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_summary_index_ttl str: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
action_webhook_param_url str: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions str: A comma-separated list of actions to enable. For example: rss,email
alert_comparator str: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alert_condition str: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alert_digest_mode bool: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alert_expires str: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alert_severity int: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alert_suppress bool: Indicates whether alert suppression is enabled for this scheduled search.
alert_suppress_fields str: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert_suppress_period str: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alert_threshold str: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alert_track bool: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alert_type str: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allow_skew str: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
auto_summarize bool: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
auto_summarize_command str: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
auto_summarize_cron_schedule str: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
auto_summarize_dispatch_earliest_time str: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
auto_summarize_dispatch_latest_time str: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
auto_summarize_dispatch_time_format str: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
auto_summarize_dispatch_ttl str: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
auto_summarize_max_disabled_buckets int: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
auto_summarize_max_summary_ratio float: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
auto_summarize_max_summary_size int: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
auto_summarize_max_time int: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
auto_summarize_suspend_period str: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
auto_summarize_timespan str: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cron_schedule str: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description str: Human-readable description of this saved search. Defaults to empty string.
disabled bool: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatch_buckets int: The maximum number of timeline buckets. Defaults to 0.
dispatch_earliest_time str: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_index_earliest str: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_index_latest str: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_indexed_realtime bool: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_indexed_realtime_minspan int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatch_indexed_realtime_offset int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatch_latest_time str: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_lookups bool: Enables or disables the lookups for this search. Defaults to 1.
dispatch_max_count int: The maximum number of results before finalizing the search. Defaults to 500000.
dispatch_max_time int: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatch_reduce_freq int: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatch_rt_backfill bool: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatch_rt_maximum_span int: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
dispatch_spawn_process bool: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
dispatch_time_format str: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
dispatch_ttl str: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
display_view str: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
is_scheduled bool: Whether this search is to be run on a schedule
is_visible bool: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
max_concurrent int: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
name str: A name for the search.
realtime_schedule bool: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
request_ui_dispatch_app str: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
request_ui_dispatch_view str: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add bool: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
run_on_startup bool: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
schedule_priority str: Raises the scheduling priority of the named search. Defaults to Default
schedule_window str: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
vsid str: Defines the viewstate id associated with the UI view listed in 'displayview'.
workload_pool str: Specifies the new workload pool where the existing running search will be placed.`

search String: Required when creating a new search.
acl Property Map: The app/user context that is the namespace for the resource
actionCreateXsoarIncident String: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
actionCreateXsoarIncidentParamCustomFields String: XSOAR custom incident fields (should be a comma separated list)
actionCreateXsoarIncidentParamDetails String: XSOAR incident description
actionCreateXsoarIncidentParamIncidentName String: XSOAR incident name
actionCreateXsoarIncidentParamOccurred String: XSOAR incident time
actionCreateXsoarIncidentParamSendAllServers String: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
actionCreateXsoarIncidentParamServerUrl String: XSOAR Server instance URL (Should start with https:// || http://)
actionCreateXsoarIncidentParamSeverity String: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
actionCreateXsoarIncidentParamType String: XSOAR incident type
actionEmailAuthPassword String: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
actionEmailAuthUsername String: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
actionEmailBcc String: BCC email address to use if action.email is enabled.
actionEmailCc String: CC email address to use if action.email is enabled.
actionEmailCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionEmailFormat String: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
actionEmailFrom String: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
actionEmailHostname String: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
actionEmailIncludeResultsLink Number: Specify whether to include a link to the results. Defaults to 0.
actionEmailIncludeSearch Number: Specify whether to include the search that caused an email to be sent. Defaults to 0.
actionEmailIncludeTrigger Number: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
actionEmailIncludeTriggerTime Number: Specify whether to show the time that the alert was fired. Defaults to 0.
actionEmailIncludeViewLink Number: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
actionEmailInline Boolean: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
actionEmailMailserver String: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
actionEmailMaxResults Number: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
actionEmailMaxTime String: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
actionEmailMessageAlert String: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
actionEmailMessageReport String: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
actionEmailPdfview String: The name of the view to deliver if sendpdf is enabled
actionEmailPreprocessResults String: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
actionEmailReportCidFontList String: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
actionEmailReportIncludeSplunkLogo Boolean: Indicates whether to include the Splunk logo with the report.
actionEmailReportPaperOrientation String: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
actionEmailReportPaperSize String: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
actionEmailReportServerEnabled Boolean: No Supported
actionEmailReportServerUrl String: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
actionEmailSendCsv Number: Specify whether to send results as a CSV file. Defaults to 0.
actionEmailSendPdf Boolean: Indicates whether to create and send the results as a PDF. Defaults to false.
actionEmailSendResults Boolean: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
actionEmailSubject String: Specifies an alternate email subject.Defaults to SplunkAlert-.
actionEmailTo String: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
actionEmailTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionEmailTtl String: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
actionEmailUseSsl Boolean: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
actionEmailUseTls Boolean: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
actionEmailWidthSortColumns Boolean: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
actionJiraServiceDeskParamAccount String: Jira Service Desk account name
actionJiraServiceDeskParamJiraDescription String: Jira issue description
actionJiraServiceDeskParamJiraIssueType String: Jira issue type name
actionJiraServiceDeskParamJiraPriority String: Jira priority of issue
actionJiraServiceDeskParamJiraProject String: Jira Project name
actionJiraServiceDeskParamJiraSummary String: Jira issue title/summary
actionPagerdutyCustomDetails String: The PagerDuty custom details information.
actionPagerdutyIntegrationKey String: The PagerDuty integration Key.
actionPagerdutyIntegrationKeyOverride String: The PagerDuty integration Key override.
actionPagerdutyIntegrationUrl String: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPagerdutyIntegrationUrlOverride String: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPopulateLookupCommand String: The search command (or pipeline) which is responsible for executing the action.
actionPopulateLookupDest String: Lookup name of path of the lookup to populate
actionPopulateLookupHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionPopulateLookupMaxResults Number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionPopulateLookupMaxTime Number: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
actionPopulateLookupTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionPopulateLookupTtl String: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
actionRssCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionRssHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionRssMaxResults Number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionRssMaxTime Number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionRssTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionRssTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionScriptCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionScriptFilename String: File name of the script to call. Required if script action is enabled
actionScriptHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionScriptMaxResults Number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionScriptMaxTime Number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionScriptTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionScriptTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionSlackParamAttachment String: Include a message attachment. Valid values are message, none, or alert_link
actionSlackParamChannel String: Slack channel to send the message to (Should start with # or @)
actionSlackParamFields String: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
actionSlackParamMessage String: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
actionSlackParamWebhookUrlOverride String: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
actionSnowEventParamAccount String: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
actionSnowEventParamAdditionalInfo String: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
actionSnowEventParamCiIdentifier String: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
actionSnowEventParamCustomFields String: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
actionSnowEventParamDescription String: A brief description of the event.
actionSnowEventParamNode String: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
actionSnowEventParamResource String: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
actionSnowEventParamSeverity Number: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
actionSnowEventParamType String: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
actionSummaryIndexCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionSummaryIndexHostname String: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionSummaryIndexInline Boolean: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
actionSummaryIndexMaxResults Number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionSummaryIndexMaxTime Number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionSummaryIndexName String: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
actionSummaryIndexTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionSummaryIndexTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionWebhookParamUrl String: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions String: A comma-separated list of actions to enable. For example: rss,email
alertComparator String: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alertCondition String: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alertDigestMode Boolean: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alertExpires String: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertSeverity Number: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alertSuppress Boolean: Indicates whether alert suppression is enabled for this scheduled search.
alertSuppressFields String: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alertSuppressPeriod String: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertThreshold String: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alertTrack Boolean: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alertType String: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allowSkew String: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
autoSummarize Boolean: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
autoSummarizeCommand String: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
autoSummarizeCronSchedule String: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
autoSummarizeDispatchEarliestTime String: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchLatestTime String: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchTimeFormat String: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
autoSummarizeDispatchTtl String: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
autoSummarizeMaxDisabledBuckets Number: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
autoSummarizeMaxSummaryRatio Number: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
autoSummarizeMaxSummarySize Number: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
autoSummarizeMaxTime Number: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
autoSummarizeSuspendPeriod String: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
autoSummarizeTimespan String: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cronSchedule String: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description String: Human-readable description of this saved search. Defaults to empty string.
disabled Boolean: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatchBuckets Number: The maximum number of timeline buckets. Defaults to 0.
dispatchEarliestTime String: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexEarliest String: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexLatest String: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtime Boolean: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtimeMinspan Number: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchIndexedRealtimeOffset Number: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchLatestTime String: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchLookups Boolean: Enables or disables the lookups for this search. Defaults to 1.
dispatchMaxCount Number: The maximum number of results before finalizing the search. Defaults to 500000.
dispatchMaxTime Number: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatchReduceFreq Number: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatchRtBackfill Boolean: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatchRtMaximumSpan Number: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
dispatchSpawnProcess Boolean: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
dispatchTimeFormat String: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
dispatchTtl String: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
displayView String: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
isScheduled Boolean: Whether this search is to be run on a schedule
isVisible Boolean: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
maxConcurrent Number: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
name String: A name for the search.
realtimeSchedule Boolean: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
requestUiDispatchApp String: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
requestUiDispatchView String: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restartOnSearchpeerAdd Boolean: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
runOnStartup Boolean: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
schedulePriority String: Raises the scheduling priority of the named search. Defaults to Default
scheduleWindow String: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
vsid String: Defines the viewstate id associated with the UI view listed in 'displayview'.
workloadPool String: Specifies the new workload pool where the existing running search will be placed.`

Outputs

All input properties are implicitly available as output properties. Additionally, the SavedSearches resource produces the following output properties:

ActionEmail bool: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionPopulateLookup bool: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionRss bool: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
ActionScript bool: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionSummaryIndex bool: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
Id string: The provider-assigned unique ID for this managed resource.

ActionEmail bool: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionPopulateLookup bool: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionRss bool: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
ActionScript bool: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionSummaryIndex bool: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
Id string: The provider-assigned unique ID for this managed resource.

actionEmail Boolean: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionPopulateLookup Boolean: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionRss Boolean: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
actionScript Boolean: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionSummaryIndex Boolean: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
id String: The provider-assigned unique ID for this managed resource.

actionEmail boolean: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionPopulateLookup boolean: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionRss boolean: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
actionScript boolean: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionSummaryIndex boolean: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
id string: The provider-assigned unique ID for this managed resource.

action_email bool: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_populate_lookup bool: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_rss bool: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
action_script bool: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_summary_index bool: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
id str: The provider-assigned unique ID for this managed resource.

actionEmail Boolean: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionPopulateLookup Boolean: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionRss Boolean: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
actionScript Boolean: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionSummaryIndex Boolean: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing SavedSearches Resource

Get an existing SavedSearches resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SavedSearchesState, opts?: CustomResourceOptions): SavedSearches

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        acl: Optional[SavedSearchesAclArgs] = None,
        action_create_xsoar_incident: Optional[str] = None,
        action_create_xsoar_incident_param_custom_fields: Optional[str] = None,
        action_create_xsoar_incident_param_details: Optional[str] = None,
        action_create_xsoar_incident_param_incident_name: Optional[str] = None,
        action_create_xsoar_incident_param_occurred: Optional[str] = None,
        action_create_xsoar_incident_param_send_all_servers: Optional[str] = None,
        action_create_xsoar_incident_param_server_url: Optional[str] = None,
        action_create_xsoar_incident_param_severity: Optional[str] = None,
        action_create_xsoar_incident_param_type: Optional[str] = None,
        action_email: Optional[bool] = None,
        action_email_auth_password: Optional[str] = None,
        action_email_auth_username: Optional[str] = None,
        action_email_bcc: Optional[str] = None,
        action_email_cc: Optional[str] = None,
        action_email_command: Optional[str] = None,
        action_email_format: Optional[str] = None,
        action_email_from: Optional[str] = None,
        action_email_hostname: Optional[str] = None,
        action_email_include_results_link: Optional[int] = None,
        action_email_include_search: Optional[int] = None,
        action_email_include_trigger: Optional[int] = None,
        action_email_include_trigger_time: Optional[int] = None,
        action_email_include_view_link: Optional[int] = None,
        action_email_inline: Optional[bool] = None,
        action_email_mailserver: Optional[str] = None,
        action_email_max_results: Optional[int] = None,
        action_email_max_time: Optional[str] = None,
        action_email_message_alert: Optional[str] = None,
        action_email_message_report: Optional[str] = None,
        action_email_pdfview: Optional[str] = None,
        action_email_preprocess_results: Optional[str] = None,
        action_email_report_cid_font_list: Optional[str] = None,
        action_email_report_include_splunk_logo: Optional[bool] = None,
        action_email_report_paper_orientation: Optional[str] = None,
        action_email_report_paper_size: Optional[str] = None,
        action_email_report_server_enabled: Optional[bool] = None,
        action_email_report_server_url: Optional[str] = None,
        action_email_send_csv: Optional[int] = None,
        action_email_send_pdf: Optional[bool] = None,
        action_email_send_results: Optional[bool] = None,
        action_email_subject: Optional[str] = None,
        action_email_to: Optional[str] = None,
        action_email_track_alert: Optional[bool] = None,
        action_email_ttl: Optional[str] = None,
        action_email_use_ssl: Optional[bool] = None,
        action_email_use_tls: Optional[bool] = None,
        action_email_width_sort_columns: Optional[bool] = None,
        action_jira_service_desk_param_account: Optional[str] = None,
        action_jira_service_desk_param_jira_description: Optional[str] = None,
        action_jira_service_desk_param_jira_issue_type: Optional[str] = None,
        action_jira_service_desk_param_jira_priority: Optional[str] = None,
        action_jira_service_desk_param_jira_project: Optional[str] = None,
        action_jira_service_desk_param_jira_summary: Optional[str] = None,
        action_pagerduty_custom_details: Optional[str] = None,
        action_pagerduty_integration_key: Optional[str] = None,
        action_pagerduty_integration_key_override: Optional[str] = None,
        action_pagerduty_integration_url: Optional[str] = None,
        action_pagerduty_integration_url_override: Optional[str] = None,
        action_populate_lookup: Optional[bool] = None,
        action_populate_lookup_command: Optional[str] = None,
        action_populate_lookup_dest: Optional[str] = None,
        action_populate_lookup_hostname: Optional[str] = None,
        action_populate_lookup_max_results: Optional[int] = None,
        action_populate_lookup_max_time: Optional[int] = None,
        action_populate_lookup_track_alert: Optional[bool] = None,
        action_populate_lookup_ttl: Optional[str] = None,
        action_rss: Optional[bool] = None,
        action_rss_command: Optional[str] = None,
        action_rss_hostname: Optional[str] = None,
        action_rss_max_results: Optional[int] = None,
        action_rss_max_time: Optional[int] = None,
        action_rss_track_alert: Optional[bool] = None,
        action_rss_ttl: Optional[str] = None,
        action_script: Optional[bool] = None,
        action_script_command: Optional[str] = None,
        action_script_filename: Optional[str] = None,
        action_script_hostname: Optional[str] = None,
        action_script_max_results: Optional[int] = None,
        action_script_max_time: Optional[int] = None,
        action_script_track_alert: Optional[bool] = None,
        action_script_ttl: Optional[str] = None,
        action_slack_param_attachment: Optional[str] = None,
        action_slack_param_channel: Optional[str] = None,
        action_slack_param_fields: Optional[str] = None,
        action_slack_param_message: Optional[str] = None,
        action_slack_param_webhook_url_override: Optional[str] = None,
        action_snow_event_param_account: Optional[str] = None,
        action_snow_event_param_additional_info: Optional[str] = None,
        action_snow_event_param_ci_identifier: Optional[str] = None,
        action_snow_event_param_custom_fields: Optional[str] = None,
        action_snow_event_param_description: Optional[str] = None,
        action_snow_event_param_node: Optional[str] = None,
        action_snow_event_param_resource: Optional[str] = None,
        action_snow_event_param_severity: Optional[int] = None,
        action_snow_event_param_type: Optional[str] = None,
        action_summary_index: Optional[bool] = None,
        action_summary_index_command: Optional[str] = None,
        action_summary_index_hostname: Optional[str] = None,
        action_summary_index_inline: Optional[bool] = None,
        action_summary_index_max_results: Optional[int] = None,
        action_summary_index_max_time: Optional[int] = None,
        action_summary_index_name: Optional[str] = None,
        action_summary_index_track_alert: Optional[bool] = None,
        action_summary_index_ttl: Optional[str] = None,
        action_webhook_param_url: Optional[str] = None,
        actions: Optional[str] = None,
        alert_comparator: Optional[str] = None,
        alert_condition: Optional[str] = None,
        alert_digest_mode: Optional[bool] = None,
        alert_expires: Optional[str] = None,
        alert_severity: Optional[int] = None,
        alert_suppress: Optional[bool] = None,
        alert_suppress_fields: Optional[str] = None,
        alert_suppress_period: Optional[str] = None,
        alert_threshold: Optional[str] = None,
        alert_track: Optional[bool] = None,
        alert_type: Optional[str] = None,
        allow_skew: Optional[str] = None,
        auto_summarize: Optional[bool] = None,
        auto_summarize_command: Optional[str] = None,
        auto_summarize_cron_schedule: Optional[str] = None,
        auto_summarize_dispatch_earliest_time: Optional[str] = None,
        auto_summarize_dispatch_latest_time: Optional[str] = None,
        auto_summarize_dispatch_time_format: Optional[str] = None,
        auto_summarize_dispatch_ttl: Optional[str] = None,
        auto_summarize_max_disabled_buckets: Optional[int] = None,
        auto_summarize_max_summary_ratio: Optional[float] = None,
        auto_summarize_max_summary_size: Optional[int] = None,
        auto_summarize_max_time: Optional[int] = None,
        auto_summarize_suspend_period: Optional[str] = None,
        auto_summarize_timespan: Optional[str] = None,
        cron_schedule: Optional[str] = None,
        description: Optional[str] = None,
        disabled: Optional[bool] = None,
        dispatch_buckets: Optional[int] = None,
        dispatch_earliest_time: Optional[str] = None,
        dispatch_index_earliest: Optional[str] = None,
        dispatch_index_latest: Optional[str] = None,
        dispatch_indexed_realtime: Optional[bool] = None,
        dispatch_indexed_realtime_minspan: Optional[int] = None,
        dispatch_indexed_realtime_offset: Optional[int] = None,
        dispatch_latest_time: Optional[str] = None,
        dispatch_lookups: Optional[bool] = None,
        dispatch_max_count: Optional[int] = None,
        dispatch_max_time: Optional[int] = None,
        dispatch_reduce_freq: Optional[int] = None,
        dispatch_rt_backfill: Optional[bool] = None,
        dispatch_rt_maximum_span: Optional[int] = None,
        dispatch_spawn_process: Optional[bool] = None,
        dispatch_time_format: Optional[str] = None,
        dispatch_ttl: Optional[str] = None,
        display_view: Optional[str] = None,
        is_scheduled: Optional[bool] = None,
        is_visible: Optional[bool] = None,
        max_concurrent: Optional[int] = None,
        name: Optional[str] = None,
        realtime_schedule: Optional[bool] = None,
        request_ui_dispatch_app: Optional[str] = None,
        request_ui_dispatch_view: Optional[str] = None,
        restart_on_searchpeer_add: Optional[bool] = None,
        run_on_startup: Optional[bool] = None,
        schedule_priority: Optional[str] = None,
        schedule_window: Optional[str] = None,
        search: Optional[str] = None,
        vsid: Optional[str] = None,
        workload_pool: Optional[str] = None) -> SavedSearches

func GetSavedSearches(ctx *Context, name string, id IDInput, state *SavedSearchesState, opts ...ResourceOption) (*SavedSearches, error)

public static SavedSearches Get(string name, Input<string> id, SavedSearchesState? state, CustomResourceOptions? opts = null)

public static SavedSearches get(String name, Output<String> id, SavedSearchesState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Acl SavedSearchesAcl: The app/user context that is the namespace for the resource
ActionCreateXsoarIncident string: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
ActionCreateXsoarIncidentParamCustomFields string: XSOAR custom incident fields (should be a comma separated list)
ActionCreateXsoarIncidentParamDetails string: XSOAR incident description
ActionCreateXsoarIncidentParamIncidentName string: XSOAR incident name
ActionCreateXsoarIncidentParamOccurred string: XSOAR incident time
ActionCreateXsoarIncidentParamSendAllServers string: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
ActionCreateXsoarIncidentParamServerUrl string: XSOAR Server instance URL (Should start with https:// || http://)
ActionCreateXsoarIncidentParamSeverity string: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
ActionCreateXsoarIncidentParamType string: XSOAR incident type
ActionEmail bool: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionEmailAuthPassword string: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
ActionEmailAuthUsername string: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
ActionEmailBcc string: BCC email address to use if action.email is enabled.
ActionEmailCc string: CC email address to use if action.email is enabled.
ActionEmailCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionEmailFormat string: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
ActionEmailFrom string: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
ActionEmailHostname string: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
ActionEmailIncludeResultsLink int: Specify whether to include a link to the results. Defaults to 0.
ActionEmailIncludeSearch int: Specify whether to include the search that caused an email to be sent. Defaults to 0.
ActionEmailIncludeTrigger int: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
ActionEmailIncludeTriggerTime int: Specify whether to show the time that the alert was fired. Defaults to 0.
ActionEmailIncludeViewLink int: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
ActionEmailInline bool: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
ActionEmailMailserver string: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
ActionEmailMaxResults int: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
ActionEmailMaxTime string: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
ActionEmailMessageAlert string: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
ActionEmailMessageReport string: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
ActionEmailPdfview string: The name of the view to deliver if sendpdf is enabled
ActionEmailPreprocessResults string: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
ActionEmailReportCidFontList string: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
ActionEmailReportIncludeSplunkLogo bool: Indicates whether to include the Splunk logo with the report.
ActionEmailReportPaperOrientation string: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
ActionEmailReportPaperSize string: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
ActionEmailReportServerEnabled bool: No Supported
ActionEmailReportServerUrl string: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
ActionEmailSendCsv int: Specify whether to send results as a CSV file. Defaults to 0.
ActionEmailSendPdf bool: Indicates whether to create and send the results as a PDF. Defaults to false.
ActionEmailSendResults bool: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
ActionEmailSubject string: Specifies an alternate email subject.Defaults to SplunkAlert-.
ActionEmailTo string: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
ActionEmailTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionEmailTtl string: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
ActionEmailUseSsl bool: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
ActionEmailUseTls bool: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
ActionEmailWidthSortColumns bool: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
ActionJiraServiceDeskParamAccount string: Jira Service Desk account name
ActionJiraServiceDeskParamJiraDescription string: Jira issue description
ActionJiraServiceDeskParamJiraIssueType string: Jira issue type name
ActionJiraServiceDeskParamJiraPriority string: Jira priority of issue
ActionJiraServiceDeskParamJiraProject string: Jira Project name
ActionJiraServiceDeskParamJiraSummary string: Jira issue title/summary
ActionPagerdutyCustomDetails string: The PagerDuty custom details information.
ActionPagerdutyIntegrationKey string: The PagerDuty integration Key.
ActionPagerdutyIntegrationKeyOverride string: The PagerDuty integration Key override.
ActionPagerdutyIntegrationUrl string: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPagerdutyIntegrationUrlOverride string: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPopulateLookup bool: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionPopulateLookupCommand string: The search command (or pipeline) which is responsible for executing the action.
ActionPopulateLookupDest string: Lookup name of path of the lookup to populate
ActionPopulateLookupHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionPopulateLookupMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionPopulateLookupMaxTime int: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
ActionPopulateLookupTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionPopulateLookupTtl string: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
ActionRss bool: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
ActionRssCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionRssHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionRssMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionRssMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionRssTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionRssTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionScript bool: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionScriptCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionScriptFilename string: File name of the script to call. Required if script action is enabled
ActionScriptHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionScriptMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionScriptMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionScriptTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionScriptTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionSlackParamAttachment string: Include a message attachment. Valid values are message, none, or alert_link
ActionSlackParamChannel string: Slack channel to send the message to (Should start with # or @)
ActionSlackParamFields string: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
ActionSlackParamMessage string: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
ActionSlackParamWebhookUrlOverride string: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
ActionSnowEventParamAccount string: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
ActionSnowEventParamAdditionalInfo string: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
ActionSnowEventParamCiIdentifier string: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
ActionSnowEventParamCustomFields string: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
ActionSnowEventParamDescription string: A brief description of the event.
ActionSnowEventParamNode string: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
ActionSnowEventParamResource string: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
ActionSnowEventParamSeverity int: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
ActionSnowEventParamType string: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
ActionSummaryIndex bool: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionSummaryIndexCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionSummaryIndexHostname string: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionSummaryIndexInline bool: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
ActionSummaryIndexMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionSummaryIndexMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionSummaryIndexName string: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
ActionSummaryIndexTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionSummaryIndexTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionWebhookParamUrl string: URL to send the HTTP POST request to. Must be accessible from the Splunk server
Actions string: A comma-separated list of actions to enable. For example: rss,email
AlertComparator string: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
AlertCondition string: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
AlertDigestMode bool: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
AlertExpires string: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertSeverity int: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
AlertSuppress bool: Indicates whether alert suppression is enabled for this scheduled search.
AlertSuppressFields string: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
AlertSuppressPeriod string: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertThreshold string: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
AlertTrack bool: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
AlertType string: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
AllowSkew string: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
AutoSummarize bool: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
AutoSummarizeCommand string: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
AutoSummarizeCronSchedule string: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
AutoSummarizeDispatchEarliestTime string: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchLatestTime string: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchTimeFormat string: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
AutoSummarizeDispatchTtl string: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
AutoSummarizeMaxDisabledBuckets int: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
AutoSummarizeMaxSummaryRatio double: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
AutoSummarizeMaxSummarySize int: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
AutoSummarizeMaxTime int: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
AutoSummarizeSuspendPeriod string: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
AutoSummarizeTimespan string: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
CronSchedule string: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
Description string: Human-readable description of this saved search. Defaults to empty string.
Disabled bool: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
DispatchBuckets int: The maximum number of timeline buckets. Defaults to 0.
DispatchEarliestTime string: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexEarliest string: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexLatest string: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtime bool: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtimeMinspan int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchIndexedRealtimeOffset int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchLatestTime string: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchLookups bool: Enables or disables the lookups for this search. Defaults to 1.
DispatchMaxCount int: The maximum number of results before finalizing the search. Defaults to 500000.
DispatchMaxTime int: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
DispatchReduceFreq int: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
DispatchRtBackfill bool: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
DispatchRtMaximumSpan int: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
DispatchSpawnProcess bool: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
DispatchTimeFormat string: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
DispatchTtl string: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
DisplayView string: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
IsScheduled bool: Whether this search is to be run on a schedule
IsVisible bool: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
MaxConcurrent int: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
Name string: A name for the search.
RealtimeSchedule bool: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
RequestUiDispatchApp string: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
RequestUiDispatchView string: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
RestartOnSearchpeerAdd bool: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
RunOnStartup bool: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
SchedulePriority string: Raises the scheduling priority of the named search. Defaults to Default
ScheduleWindow string: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
Search string: Required when creating a new search.
Vsid string: Defines the viewstate id associated with the UI view listed in 'displayview'.
WorkloadPool string: Specifies the new workload pool where the existing running search will be placed.`

Acl SavedSearchesAclArgs: The app/user context that is the namespace for the resource
ActionCreateXsoarIncident string: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
ActionCreateXsoarIncidentParamCustomFields string: XSOAR custom incident fields (should be a comma separated list)
ActionCreateXsoarIncidentParamDetails string: XSOAR incident description
ActionCreateXsoarIncidentParamIncidentName string: XSOAR incident name
ActionCreateXsoarIncidentParamOccurred string: XSOAR incident time
ActionCreateXsoarIncidentParamSendAllServers string: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
ActionCreateXsoarIncidentParamServerUrl string: XSOAR Server instance URL (Should start with https:// || http://)
ActionCreateXsoarIncidentParamSeverity string: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
ActionCreateXsoarIncidentParamType string: XSOAR incident type
ActionEmail bool: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionEmailAuthPassword string: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
ActionEmailAuthUsername string: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
ActionEmailBcc string: BCC email address to use if action.email is enabled.
ActionEmailCc string: CC email address to use if action.email is enabled.
ActionEmailCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionEmailFormat string: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
ActionEmailFrom string: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
ActionEmailHostname string: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
ActionEmailIncludeResultsLink int: Specify whether to include a link to the results. Defaults to 0.
ActionEmailIncludeSearch int: Specify whether to include the search that caused an email to be sent. Defaults to 0.
ActionEmailIncludeTrigger int: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
ActionEmailIncludeTriggerTime int: Specify whether to show the time that the alert was fired. Defaults to 0.
ActionEmailIncludeViewLink int: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
ActionEmailInline bool: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
ActionEmailMailserver string: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
ActionEmailMaxResults int: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
ActionEmailMaxTime string: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
ActionEmailMessageAlert string: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
ActionEmailMessageReport string: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
ActionEmailPdfview string: The name of the view to deliver if sendpdf is enabled
ActionEmailPreprocessResults string: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
ActionEmailReportCidFontList string: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
ActionEmailReportIncludeSplunkLogo bool: Indicates whether to include the Splunk logo with the report.
ActionEmailReportPaperOrientation string: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
ActionEmailReportPaperSize string: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
ActionEmailReportServerEnabled bool: No Supported
ActionEmailReportServerUrl string: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
ActionEmailSendCsv int: Specify whether to send results as a CSV file. Defaults to 0.
ActionEmailSendPdf bool: Indicates whether to create and send the results as a PDF. Defaults to false.
ActionEmailSendResults bool: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
ActionEmailSubject string: Specifies an alternate email subject.Defaults to SplunkAlert-.
ActionEmailTo string: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
ActionEmailTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionEmailTtl string: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
ActionEmailUseSsl bool: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
ActionEmailUseTls bool: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
ActionEmailWidthSortColumns bool: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
ActionJiraServiceDeskParamAccount string: Jira Service Desk account name
ActionJiraServiceDeskParamJiraDescription string: Jira issue description
ActionJiraServiceDeskParamJiraIssueType string: Jira issue type name
ActionJiraServiceDeskParamJiraPriority string: Jira priority of issue
ActionJiraServiceDeskParamJiraProject string: Jira Project name
ActionJiraServiceDeskParamJiraSummary string: Jira issue title/summary
ActionPagerdutyCustomDetails string: The PagerDuty custom details information.
ActionPagerdutyIntegrationKey string: The PagerDuty integration Key.
ActionPagerdutyIntegrationKeyOverride string: The PagerDuty integration Key override.
ActionPagerdutyIntegrationUrl string: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPagerdutyIntegrationUrlOverride string: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
ActionPopulateLookup bool: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionPopulateLookupCommand string: The search command (or pipeline) which is responsible for executing the action.
ActionPopulateLookupDest string: Lookup name of path of the lookup to populate
ActionPopulateLookupHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionPopulateLookupMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionPopulateLookupMaxTime int: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
ActionPopulateLookupTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionPopulateLookupTtl string: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
ActionRss bool: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
ActionRssCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionRssHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionRssMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionRssMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionRssTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionRssTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionScript bool: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionScriptCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionScriptFilename string: File name of the script to call. Required if script action is enabled
ActionScriptHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionScriptMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionScriptMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionScriptTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionScriptTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionSlackParamAttachment string: Include a message attachment. Valid values are message, none, or alert_link
ActionSlackParamChannel string: Slack channel to send the message to (Should start with # or @)
ActionSlackParamFields string: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
ActionSlackParamMessage string: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
ActionSlackParamWebhookUrlOverride string: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
ActionSnowEventParamAccount string: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
ActionSnowEventParamAdditionalInfo string: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
ActionSnowEventParamCiIdentifier string: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
ActionSnowEventParamCustomFields string: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
ActionSnowEventParamDescription string: A brief description of the event.
ActionSnowEventParamNode string: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
ActionSnowEventParamResource string: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
ActionSnowEventParamSeverity int: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
ActionSnowEventParamType string: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
ActionSummaryIndex bool: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
ActionSummaryIndexCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
ActionSummaryIndexHostname string: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
ActionSummaryIndexInline bool: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
ActionSummaryIndexMaxResults int: Sets the maximum number of search results sent using alerts. Defaults to 100.
ActionSummaryIndexMaxTime int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
ActionSummaryIndexName string: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
ActionSummaryIndexTrackAlert bool: Indicates whether the execution of this action signifies a trackable alert.
ActionSummaryIndexTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
ActionWebhookParamUrl string: URL to send the HTTP POST request to. Must be accessible from the Splunk server
Actions string: A comma-separated list of actions to enable. For example: rss,email
AlertComparator string: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
AlertCondition string: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
AlertDigestMode bool: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
AlertExpires string: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertSeverity int: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
AlertSuppress bool: Indicates whether alert suppression is enabled for this scheduled search.
AlertSuppressFields string: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
AlertSuppressPeriod string: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
AlertThreshold string: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
AlertTrack bool: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
AlertType string: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
AllowSkew string: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
AutoSummarize bool: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
AutoSummarizeCommand string: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
AutoSummarizeCronSchedule string: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
AutoSummarizeDispatchEarliestTime string: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchLatestTime string: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
AutoSummarizeDispatchTimeFormat string: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
AutoSummarizeDispatchTtl string: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
AutoSummarizeMaxDisabledBuckets int: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
AutoSummarizeMaxSummaryRatio float64: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
AutoSummarizeMaxSummarySize int: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
AutoSummarizeMaxTime int: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
AutoSummarizeSuspendPeriod string: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
AutoSummarizeTimespan string: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
CronSchedule string: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
Description string: Human-readable description of this saved search. Defaults to empty string.
Disabled bool: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
DispatchBuckets int: The maximum number of timeline buckets. Defaults to 0.
DispatchEarliestTime string: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexEarliest string: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexLatest string: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtime bool: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchIndexedRealtimeMinspan int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchIndexedRealtimeOffset int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
DispatchLatestTime string: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
DispatchLookups bool: Enables or disables the lookups for this search. Defaults to 1.
DispatchMaxCount int: The maximum number of results before finalizing the search. Defaults to 500000.
DispatchMaxTime int: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
DispatchReduceFreq int: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
DispatchRtBackfill bool: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
DispatchRtMaximumSpan int: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
DispatchSpawnProcess bool: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
DispatchTimeFormat string: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
DispatchTtl string: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
DisplayView string: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
IsScheduled bool: Whether this search is to be run on a schedule
IsVisible bool: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
MaxConcurrent int: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
Name string: A name for the search.
RealtimeSchedule bool: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
RequestUiDispatchApp string: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
RequestUiDispatchView string: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
RestartOnSearchpeerAdd bool: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
RunOnStartup bool: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
SchedulePriority string: Raises the scheduling priority of the named search. Defaults to Default
ScheduleWindow string: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
Search string: Required when creating a new search.
Vsid string: Defines the viewstate id associated with the UI view listed in 'displayview'.
WorkloadPool string: Specifies the new workload pool where the existing running search will be placed.`

acl SavedSearchesAcl: The app/user context that is the namespace for the resource
actionCreateXsoarIncident String: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
actionCreateXsoarIncidentParamCustomFields String: XSOAR custom incident fields (should be a comma separated list)
actionCreateXsoarIncidentParamDetails String: XSOAR incident description
actionCreateXsoarIncidentParamIncidentName String: XSOAR incident name
actionCreateXsoarIncidentParamOccurred String: XSOAR incident time
actionCreateXsoarIncidentParamSendAllServers String: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
actionCreateXsoarIncidentParamServerUrl String: XSOAR Server instance URL (Should start with https:// || http://)
actionCreateXsoarIncidentParamSeverity String: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
actionCreateXsoarIncidentParamType String: XSOAR incident type
actionEmail Boolean: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionEmailAuthPassword String: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
actionEmailAuthUsername String: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
actionEmailBcc String: BCC email address to use if action.email is enabled.
actionEmailCc String: CC email address to use if action.email is enabled.
actionEmailCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionEmailFormat String: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
actionEmailFrom String: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
actionEmailHostname String: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
actionEmailIncludeResultsLink Integer: Specify whether to include a link to the results. Defaults to 0.
actionEmailIncludeSearch Integer: Specify whether to include the search that caused an email to be sent. Defaults to 0.
actionEmailIncludeTrigger Integer: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
actionEmailIncludeTriggerTime Integer: Specify whether to show the time that the alert was fired. Defaults to 0.
actionEmailIncludeViewLink Integer: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
actionEmailInline Boolean: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
actionEmailMailserver String: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
actionEmailMaxResults Integer: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
actionEmailMaxTime String: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
actionEmailMessageAlert String: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
actionEmailMessageReport String: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
actionEmailPdfview String: The name of the view to deliver if sendpdf is enabled
actionEmailPreprocessResults String: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
actionEmailReportCidFontList String: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
actionEmailReportIncludeSplunkLogo Boolean: Indicates whether to include the Splunk logo with the report.
actionEmailReportPaperOrientation String: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
actionEmailReportPaperSize String: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
actionEmailReportServerEnabled Boolean: No Supported
actionEmailReportServerUrl String: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
actionEmailSendCsv Integer: Specify whether to send results as a CSV file. Defaults to 0.
actionEmailSendPdf Boolean: Indicates whether to create and send the results as a PDF. Defaults to false.
actionEmailSendResults Boolean: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
actionEmailSubject String: Specifies an alternate email subject.Defaults to SplunkAlert-.
actionEmailTo String: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
actionEmailTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionEmailTtl String: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
actionEmailUseSsl Boolean: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
actionEmailUseTls Boolean: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
actionEmailWidthSortColumns Boolean: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
actionJiraServiceDeskParamAccount String: Jira Service Desk account name
actionJiraServiceDeskParamJiraDescription String: Jira issue description
actionJiraServiceDeskParamJiraIssueType String: Jira issue type name
actionJiraServiceDeskParamJiraPriority String: Jira priority of issue
actionJiraServiceDeskParamJiraProject String: Jira Project name
actionJiraServiceDeskParamJiraSummary String: Jira issue title/summary
actionPagerdutyCustomDetails String: The PagerDuty custom details information.
actionPagerdutyIntegrationKey String: The PagerDuty integration Key.
actionPagerdutyIntegrationKeyOverride String: The PagerDuty integration Key override.
actionPagerdutyIntegrationUrl String: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPagerdutyIntegrationUrlOverride String: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPopulateLookup Boolean: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionPopulateLookupCommand String: The search command (or pipeline) which is responsible for executing the action.
actionPopulateLookupDest String: Lookup name of path of the lookup to populate
actionPopulateLookupHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionPopulateLookupMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionPopulateLookupMaxTime Integer: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
actionPopulateLookupTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionPopulateLookupTtl String: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
actionRss Boolean: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
actionRssCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionRssHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionRssMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionRssMaxTime Integer: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionRssTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionRssTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionScript Boolean: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionScriptCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionScriptFilename String: File name of the script to call. Required if script action is enabled
actionScriptHostname String: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionScriptMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionScriptMaxTime Integer: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionScriptTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionScriptTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionSlackParamAttachment String: Include a message attachment. Valid values are message, none, or alert_link
actionSlackParamChannel String: Slack channel to send the message to (Should start with # or @)
actionSlackParamFields String: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
actionSlackParamMessage String: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
actionSlackParamWebhookUrlOverride String: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
actionSnowEventParamAccount String: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
actionSnowEventParamAdditionalInfo String: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
actionSnowEventParamCiIdentifier String: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
actionSnowEventParamCustomFields String: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
actionSnowEventParamDescription String: A brief description of the event.
actionSnowEventParamNode String: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
actionSnowEventParamResource String: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
actionSnowEventParamSeverity Integer: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
actionSnowEventParamType String: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
actionSummaryIndex Boolean: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionSummaryIndexCommand String: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionSummaryIndexHostname String: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionSummaryIndexInline Boolean: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
actionSummaryIndexMaxResults Integer: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionSummaryIndexMaxTime Integer: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionSummaryIndexName String: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
actionSummaryIndexTrackAlert Boolean: Indicates whether the execution of this action signifies a trackable alert.
actionSummaryIndexTtl String: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionWebhookParamUrl String: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions String: A comma-separated list of actions to enable. For example: rss,email
alertComparator String: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alertCondition String: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alertDigestMode Boolean: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alertExpires String: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertSeverity Integer: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alertSuppress Boolean: Indicates whether alert suppression is enabled for this scheduled search.
alertSuppressFields String: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alertSuppressPeriod String: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertThreshold String: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alertTrack Boolean: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alertType String: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allowSkew String: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
autoSummarize Boolean: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
autoSummarizeCommand String: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
autoSummarizeCronSchedule String: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
autoSummarizeDispatchEarliestTime String: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchLatestTime String: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchTimeFormat String: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
autoSummarizeDispatchTtl String: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
autoSummarizeMaxDisabledBuckets Integer: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
autoSummarizeMaxSummaryRatio Double: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
autoSummarizeMaxSummarySize Integer: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
autoSummarizeMaxTime Integer: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
autoSummarizeSuspendPeriod String: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
autoSummarizeTimespan String: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cronSchedule String: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description String: Human-readable description of this saved search. Defaults to empty string.
disabled Boolean: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatchBuckets Integer: The maximum number of timeline buckets. Defaults to 0.
dispatchEarliestTime String: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexEarliest String: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexLatest String: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtime Boolean: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtimeMinspan Integer: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchIndexedRealtimeOffset Integer: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchLatestTime String: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchLookups Boolean: Enables or disables the lookups for this search. Defaults to 1.
dispatchMaxCount Integer: The maximum number of results before finalizing the search. Defaults to 500000.
dispatchMaxTime Integer: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatchReduceFreq Integer: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatchRtBackfill Boolean: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatchRtMaximumSpan Integer: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
dispatchSpawnProcess Boolean: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
dispatchTimeFormat String: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
dispatchTtl String: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
displayView String: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
isScheduled Boolean: Whether this search is to be run on a schedule
isVisible Boolean: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
maxConcurrent Integer: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
name String: A name for the search.
realtimeSchedule Boolean: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
requestUiDispatchApp String: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
requestUiDispatchView String: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restartOnSearchpeerAdd Boolean: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
runOnStartup Boolean: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
schedulePriority String: Raises the scheduling priority of the named search. Defaults to Default
scheduleWindow String: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
search String: Required when creating a new search.
vsid String: Defines the viewstate id associated with the UI view listed in 'displayview'.
workloadPool String: Specifies the new workload pool where the existing running search will be placed.`

acl SavedSearchesAcl: The app/user context that is the namespace for the resource
actionCreateXsoarIncident string: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
actionCreateXsoarIncidentParamCustomFields string: XSOAR custom incident fields (should be a comma separated list)
actionCreateXsoarIncidentParamDetails string: XSOAR incident description
actionCreateXsoarIncidentParamIncidentName string: XSOAR incident name
actionCreateXsoarIncidentParamOccurred string: XSOAR incident time
actionCreateXsoarIncidentParamSendAllServers string: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
actionCreateXsoarIncidentParamServerUrl string: XSOAR Server instance URL (Should start with https:// || http://)
actionCreateXsoarIncidentParamSeverity string: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
actionCreateXsoarIncidentParamType string: XSOAR incident type
actionEmail boolean: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionEmailAuthPassword string: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
actionEmailAuthUsername string: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
actionEmailBcc string: BCC email address to use if action.email is enabled.
actionEmailCc string: CC email address to use if action.email is enabled.
actionEmailCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionEmailFormat string: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
actionEmailFrom string: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
actionEmailHostname string: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
actionEmailIncludeResultsLink number: Specify whether to include a link to the results. Defaults to 0.
actionEmailIncludeSearch number: Specify whether to include the search that caused an email to be sent. Defaults to 0.
actionEmailIncludeTrigger number: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
actionEmailIncludeTriggerTime number: Specify whether to show the time that the alert was fired. Defaults to 0.
actionEmailIncludeViewLink number: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
actionEmailInline boolean: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
actionEmailMailserver string: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
actionEmailMaxResults number: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
actionEmailMaxTime string: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
actionEmailMessageAlert string: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
actionEmailMessageReport string: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
actionEmailPdfview string: The name of the view to deliver if sendpdf is enabled
actionEmailPreprocessResults string: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
actionEmailReportCidFontList string: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
actionEmailReportIncludeSplunkLogo boolean: Indicates whether to include the Splunk logo with the report.
actionEmailReportPaperOrientation string: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
actionEmailReportPaperSize string: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
actionEmailReportServerEnabled boolean: No Supported
actionEmailReportServerUrl string: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
actionEmailSendCsv number: Specify whether to send results as a CSV file. Defaults to 0.
actionEmailSendPdf boolean: Indicates whether to create and send the results as a PDF. Defaults to false.
actionEmailSendResults boolean: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
actionEmailSubject string: Specifies an alternate email subject.Defaults to SplunkAlert-.
actionEmailTo string: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
actionEmailTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionEmailTtl string: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
actionEmailUseSsl boolean: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
actionEmailUseTls boolean: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
actionEmailWidthSortColumns boolean: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
actionJiraServiceDeskParamAccount string: Jira Service Desk account name
actionJiraServiceDeskParamJiraDescription string: Jira issue description
actionJiraServiceDeskParamJiraIssueType string: Jira issue type name
actionJiraServiceDeskParamJiraPriority string: Jira priority of issue
actionJiraServiceDeskParamJiraProject string: Jira Project name
actionJiraServiceDeskParamJiraSummary string: Jira issue title/summary
actionPagerdutyCustomDetails string: The PagerDuty custom details information.
actionPagerdutyIntegrationKey string: The PagerDuty integration Key.
actionPagerdutyIntegrationKeyOverride string: The PagerDuty integration Key override.
actionPagerdutyIntegrationUrl string: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPagerdutyIntegrationUrlOverride string: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
actionPopulateLookup boolean: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionPopulateLookupCommand string: The search command (or pipeline) which is responsible for executing the action.
actionPopulateLookupDest string: Lookup name of path of the lookup to populate
actionPopulateLookupHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionPopulateLookupMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionPopulateLookupMaxTime number: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
actionPopulateLookupTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionPopulateLookupTtl string: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
actionRss boolean: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
actionRssCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionRssHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionRssMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionRssMaxTime number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionRssTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionRssTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionScript boolean: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionScriptCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionScriptFilename string: File name of the script to call. Required if script action is enabled
actionScriptHostname string: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionScriptMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionScriptMaxTime number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionScriptTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionScriptTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionSlackParamAttachment string: Include a message attachment. Valid values are message, none, or alert_link
actionSlackParamChannel string: Slack channel to send the message to (Should start with # or @)
actionSlackParamFields string: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
actionSlackParamMessage string: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
actionSlackParamWebhookUrlOverride string: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
actionSnowEventParamAccount string: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
actionSnowEventParamAdditionalInfo string: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
actionSnowEventParamCiIdentifier string: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
actionSnowEventParamCustomFields string: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
actionSnowEventParamDescription string: A brief description of the event.
actionSnowEventParamNode string: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
actionSnowEventParamResource string: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
actionSnowEventParamSeverity number: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
actionSnowEventParamType string: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
actionSummaryIndex boolean: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
actionSummaryIndexCommand string: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
actionSummaryIndexHostname string: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
actionSummaryIndexInline boolean: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
actionSummaryIndexMaxResults number: Sets the maximum number of search results sent using alerts. Defaults to 100.
actionSummaryIndexMaxTime number: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
actionSummaryIndexName string: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
actionSummaryIndexTrackAlert boolean: Indicates whether the execution of this action signifies a trackable alert.
actionSummaryIndexTtl string: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
actionWebhookParamUrl string: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions string: A comma-separated list of actions to enable. For example: rss,email
alertComparator string: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alertCondition string: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alertDigestMode boolean: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alertExpires string: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertSeverity number: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alertSuppress boolean: Indicates whether alert suppression is enabled for this scheduled search.
alertSuppressFields string: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alertSuppressPeriod string: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alertThreshold string: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alertTrack boolean: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alertType string: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allowSkew string: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
autoSummarize boolean: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
autoSummarizeCommand string: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
autoSummarizeCronSchedule string: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
autoSummarizeDispatchEarliestTime string: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchLatestTime string: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
autoSummarizeDispatchTimeFormat string: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
autoSummarizeDispatchTtl string: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
autoSummarizeMaxDisabledBuckets number: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
autoSummarizeMaxSummaryRatio number: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
autoSummarizeMaxSummarySize number: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
autoSummarizeMaxTime number: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
autoSummarizeSuspendPeriod string: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
autoSummarizeTimespan string: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cronSchedule string: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description string: Human-readable description of this saved search. Defaults to empty string.
disabled boolean: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatchBuckets number: The maximum number of timeline buckets. Defaults to 0.
dispatchEarliestTime string: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexEarliest string: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexLatest string: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtime boolean: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchIndexedRealtimeMinspan number: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchIndexedRealtimeOffset number: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatchLatestTime string: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatchLookups boolean: Enables or disables the lookups for this search. Defaults to 1.
dispatchMaxCount number: The maximum number of results before finalizing the search. Defaults to 500000.
dispatchMaxTime number: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatchReduceFreq number: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatchRtBackfill boolean: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatchRtMaximumSpan number: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
dispatchSpawnProcess boolean: Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
dispatchTimeFormat string: A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
dispatchTtl string: Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
displayView string: Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
isScheduled boolean: Whether this search is to be run on a schedule
isVisible boolean: Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
maxConcurrent number: The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
name string: A name for the search.
realtimeSchedule boolean: Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
requestUiDispatchApp string: Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
requestUiDispatchView string: Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restartOnSearchpeerAdd boolean: Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
runOnStartup boolean: Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
schedulePriority string: Raises the scheduling priority of the named search. Defaults to Default
scheduleWindow string: Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
search string: Required when creating a new search.
vsid string: Defines the viewstate id associated with the UI view listed in 'displayview'.
workloadPool string: Specifies the new workload pool where the existing running search will be placed.`

acl SavedSearchesAclArgs: The app/user context that is the namespace for the resource
action_create_xsoar_incident str: Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
action_create_xsoar_incident_param_custom_fields str: XSOAR custom incident fields (should be a comma separated list)
action_create_xsoar_incident_param_details str: XSOAR incident description
action_create_xsoar_incident_param_incident_name str: XSOAR incident name
action_create_xsoar_incident_param_occurred str: XSOAR incident time
action_create_xsoar_incident_param_send_all_servers str: Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
action_create_xsoar_incident_param_server_url str: XSOAR Server instance URL (Should start with https:// || http://)
action_create_xsoar_incident_param_severity str: XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
action_create_xsoar_incident_param_type str: XSOAR incident type
action_email bool: The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_email_auth_password str: The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
action_email_auth_username str: The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
action_email_bcc str: BCC email address to use if action.email is enabled.
action_email_cc str: CC email address to use if action.email is enabled.
action_email_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_email_format str: Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
action_email_from str: Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
action_email_hostname str: Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
action_email_include_results_link int: Specify whether to include a link to the results. Defaults to 0.
action_email_include_search int: Specify whether to include the search that caused an email to be sent. Defaults to 0.
action_email_include_trigger int: Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
action_email_include_trigger_time int: Specify whether to show the time that the alert was fired. Defaults to 0.
action_email_include_view_link int: Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
action_email_inline bool: Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
action_email_mailserver str: Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
action_email_max_results int: Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
action_email_max_time str: Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
action_email_message_alert str: Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
action_email_message_report str: Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
action_email_pdfview str: The name of the view to deliver if sendpdf is enabled
action_email_preprocess_results str: Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
action_email_report_cid_font_list str: Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
action_email_report_include_splunk_logo bool: Indicates whether to include the Splunk logo with the report.
action_email_report_paper_orientation str: Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
action_email_report_paper_size str: Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
action_email_report_server_enabled bool: No Supported
action_email_report_server_url str: Not supported.For a default locally installed report server, the URL is http://localhost:8091/
action_email_send_csv int: Specify whether to send results as a CSV file. Defaults to 0.
action_email_send_pdf bool: Indicates whether to create and send the results as a PDF. Defaults to false.
action_email_send_results bool: Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
action_email_subject str: Specifies an alternate email subject.Defaults to SplunkAlert-.
action_email_to str: A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action_email_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_email_ttl str: Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
action_email_use_ssl bool: Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
action_email_use_tls bool: Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
action_email_width_sort_columns bool: Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
action_jira_service_desk_param_account str: Jira Service Desk account name
action_jira_service_desk_param_jira_description str: Jira issue description
action_jira_service_desk_param_jira_issue_type str: Jira issue type name
action_jira_service_desk_param_jira_priority str: Jira priority of issue
action_jira_service_desk_param_jira_project str: Jira Project name
action_jira_service_desk_param_jira_summary str: Jira issue title/summary
action_pagerduty_custom_details str: The PagerDuty custom details information.
action_pagerduty_integration_key str: The PagerDuty integration Key.
action_pagerduty_integration_key_override str: The PagerDuty integration Key override.
action_pagerduty_integration_url str: The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
action_pagerduty_integration_url_override str: The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
action_populate_lookup bool: The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_populate_lookup_command str: The search command (or pipeline) which is responsible for executing the action.
action_populate_lookup_dest str: Lookup name of path of the lookup to populate
action_populate_lookup_hostname str: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_populate_lookup_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_populate_lookup_max_time int: Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
action_populate_lookup_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_populate_lookup_ttl str: Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
action_rss bool: The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
action_rss_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_rss_hostname str: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_rss_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_rss_max_time int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action_rss_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_rss_ttl str: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
action_script bool: The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_script_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_script_filename str: File name of the script to call. Required if script action is enabled
action_script_hostname str: Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_script_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_script_max_time int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action_script_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_script_ttl str: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
action_slack_param_attachment str: Include a message attachment. Valid values are message, none, or alert_link
action_slack_param_channel str: Slack channel to send the message to (Should start with # or @)
action_slack_param_fields str: Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
action_slack_param_message str: Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
action_slack_param_webhook_url_override str: You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
action_snow_event_param_account str: Account(s) for which the event is/ are to be created across ServiceNow instance(s).
action_snow_event_param_additional_info str: You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
action_snow_event_param_ci_identifier str: String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
action_snow_event_param_custom_fields str: The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
action_snow_event_param_description str: A brief description of the event.
action_snow_event_param_node str: The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
action_snow_event_param_resource str: The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
action_snow_event_param_severity int: The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
action_snow_event_param_type str: The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
action_summary_index bool: The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
action_summary_index_command str: The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
action_summary_index_hostname str: Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
action_summary_index_inline bool: Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
action_summary_index_max_results int: Sets the maximum number of search results sent using alerts. Defaults to 100.
action_summary_index_max_time int: Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action_summary_index_name str: Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
action_summary_index_track_alert bool: Indicates whether the execution of this action signifies a trackable alert.
action_summary_index_ttl str: Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
action_webhook_param_url str: URL to send the HTTP POST request to. Must be accessible from the Splunk server
actions str: A comma-separated list of actions to enable. For example: rss,email
alert_comparator str: One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
alert_condition str: Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
alert_digest_mode bool: Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
alert_expires str: Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alert_severity int: Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
alert_suppress bool: Indicates whether alert suppression is enabled for this scheduled search.
alert_suppress_fields str: Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert_suppress_period str: Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
alert_threshold str: Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
alert_track bool: Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
alert_type str: What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
allow_skew str: Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
auto_summarize bool: Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
auto_summarize_command str: An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
auto_summarize_cron_schedule str: Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
auto_summarize_dispatch_earliest_time str: A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
auto_summarize_dispatch_latest_time str: A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
auto_summarize_dispatch_time_format str: Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
auto_summarize_dispatch_ttl str: Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
auto_summarize_max_disabled_buckets int: The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
auto_summarize_max_summary_ratio float: The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
auto_summarize_max_summary_size int: The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
auto_summarize_max_time int: Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
auto_summarize_suspend_period str: Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
auto_summarize_timespan str: The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
cron_schedule str: Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
description str: Human-readable description of this saved search. Defaults to empty string.
disabled bool: Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
dispatch_buckets int: The maximum number of timeline buckets. Defaults to 0.
dispatch_earliest_time str: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_index_earliest str: A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_index_latest str: A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_indexed_realtime bool: A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_indexed_realtime_minspan int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatch_indexed_realtime_offset int: Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
dispatch_latest_time str: A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
dispatch_lookups bool: Enables or disables the lookups for this search. Defaults to 1.
dispatch_max_count int: The maximum number of results before finalizing the search. Defaults to 500000.
dispatch_max_time int: Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
dispatch_reduce_freq int: Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
dispatch_rt_backfill bool: Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
dispatch_rt_maximum_span int: Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.