1. Packages
  2. Splunk
  3. API Docs
  4. SavedSearches
Splunk v1.2.8 published on Wednesday, Jun 26, 2024 by Pulumi

splunk.SavedSearches

Explore with Pulumi AI

splunk logo
Splunk v1.2.8 published on Wednesday, Jun 26, 2024 by Pulumi

    # Resource: splunk.SavedSearches

    Create and manage saved searches.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as splunk from "@pulumi/splunk";
    
    const savedSearch = new splunk.SavedSearches("saved_search", {
        name: "Test New Alert",
        search: "index=main",
        actions: "email",
        actionEmailFormat: "table",
        actionEmailMaxTime: "5m",
        actionEmailMaxResults: 10,
        actionEmailSendResults: false,
        actionEmailSubject: "Splunk Alert: $name$",
        actionEmailTo: "splunk@splunk.com",
        actionEmailTrackAlert: true,
        dispatchEarliestTime: "rt-15m",
        dispatchLatestTime: "rt-0m",
        cronSchedule: "*/5 * * * *",
        acl: {
            owner: "admin",
            sharing: "app",
            app: "launcher",
        },
    });
    
    import pulumi
    import pulumi_splunk as splunk
    
    saved_search = splunk.SavedSearches("saved_search",
        name="Test New Alert",
        search="index=main",
        actions="email",
        action_email_format="table",
        action_email_max_time="5m",
        action_email_max_results=10,
        action_email_send_results=False,
        action_email_subject="Splunk Alert: $name$",
        action_email_to="splunk@splunk.com",
        action_email_track_alert=True,
        dispatch_earliest_time="rt-15m",
        dispatch_latest_time="rt-0m",
        cron_schedule="*/5 * * * *",
        acl=splunk.SavedSearchesAclArgs(
            owner="admin",
            sharing="app",
            app="launcher",
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-splunk/sdk/go/splunk"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := splunk.NewSavedSearches(ctx, "saved_search", &splunk.SavedSearchesArgs{
    			Name:                   pulumi.String("Test New Alert"),
    			Search:                 pulumi.String("index=main"),
    			Actions:                pulumi.String("email"),
    			ActionEmailFormat:      pulumi.String("table"),
    			ActionEmailMaxTime:     pulumi.String("5m"),
    			ActionEmailMaxResults:  pulumi.Int(10),
    			ActionEmailSendResults: pulumi.Bool(false),
    			ActionEmailSubject:     pulumi.String("Splunk Alert: $name$"),
    			ActionEmailTo:          pulumi.String("splunk@splunk.com"),
    			ActionEmailTrackAlert:  pulumi.Bool(true),
    			DispatchEarliestTime:   pulumi.String("rt-15m"),
    			DispatchLatestTime:     pulumi.String("rt-0m"),
    			CronSchedule:           pulumi.String("*/5 * * * *"),
    			Acl: &splunk.SavedSearchesAclArgs{
    				Owner:   pulumi.String("admin"),
    				Sharing: pulumi.String("app"),
    				App:     pulumi.String("launcher"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Splunk = Pulumi.Splunk;
    
    return await Deployment.RunAsync(() => 
    {
        var savedSearch = new Splunk.SavedSearches("saved_search", new()
        {
            Name = "Test New Alert",
            Search = "index=main",
            Actions = "email",
            ActionEmailFormat = "table",
            ActionEmailMaxTime = "5m",
            ActionEmailMaxResults = 10,
            ActionEmailSendResults = false,
            ActionEmailSubject = "Splunk Alert: $name$",
            ActionEmailTo = "splunk@splunk.com",
            ActionEmailTrackAlert = true,
            DispatchEarliestTime = "rt-15m",
            DispatchLatestTime = "rt-0m",
            CronSchedule = "*/5 * * * *",
            Acl = new Splunk.Inputs.SavedSearchesAclArgs
            {
                Owner = "admin",
                Sharing = "app",
                App = "launcher",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.splunk.SavedSearches;
    import com.pulumi.splunk.SavedSearchesArgs;
    import com.pulumi.splunk.inputs.SavedSearchesAclArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var savedSearch = new SavedSearches("savedSearch", SavedSearchesArgs.builder()
                .name("Test New Alert")
                .search("index=main")
                .actions("email")
                .actionEmailFormat("table")
                .actionEmailMaxTime("5m")
                .actionEmailMaxResults(10)
                .actionEmailSendResults(false)
                .actionEmailSubject("Splunk Alert: $name$")
                .actionEmailTo("splunk@splunk.com")
                .actionEmailTrackAlert(true)
                .dispatchEarliestTime("rt-15m")
                .dispatchLatestTime("rt-0m")
                .cronSchedule("*/5 * * * *")
                .acl(SavedSearchesAclArgs.builder()
                    .owner("admin")
                    .sharing("app")
                    .app("launcher")
                    .build())
                .build());
    
        }
    }
    
    resources:
      savedSearch:
        type: splunk:SavedSearches
        name: saved_search
        properties:
          name: Test New Alert
          search: index=main
          actions: email
          actionEmailFormat: table
          actionEmailMaxTime: 5m
          actionEmailMaxResults: 10
          actionEmailSendResults: false
          actionEmailSubject: 'Splunk Alert: $name$'
          actionEmailTo: splunk@splunk.com
          actionEmailTrackAlert: true
          dispatchEarliestTime: rt-15m
          dispatchLatestTime: rt-0m
          cronSchedule: '*/5 * * * *'
          acl:
            owner: admin
            sharing: app
            app: launcher
    

    Create SavedSearches Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SavedSearches(name: string, args: SavedSearchesArgs, opts?: CustomResourceOptions);
    @overload
    def SavedSearches(resource_name: str,
                      args: SavedSearchesArgs,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def SavedSearches(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      search: Optional[str] = None,
                      acl: Optional[SavedSearchesAclArgs] = None,
                      action_create_xsoar_incident: Optional[str] = None,
                      action_create_xsoar_incident_param_custom_fields: Optional[str] = None,
                      action_create_xsoar_incident_param_details: Optional[str] = None,
                      action_create_xsoar_incident_param_incident_name: Optional[str] = None,
                      action_create_xsoar_incident_param_occurred: Optional[str] = None,
                      action_create_xsoar_incident_param_send_all_servers: Optional[str] = None,
                      action_create_xsoar_incident_param_server_url: Optional[str] = None,
                      action_create_xsoar_incident_param_severity: Optional[str] = None,
                      action_create_xsoar_incident_param_type: Optional[str] = None,
                      action_email_auth_password: Optional[str] = None,
                      action_email_auth_username: Optional[str] = None,
                      action_email_bcc: Optional[str] = None,
                      action_email_cc: Optional[str] = None,
                      action_email_command: Optional[str] = None,
                      action_email_format: Optional[str] = None,
                      action_email_from: Optional[str] = None,
                      action_email_hostname: Optional[str] = None,
                      action_email_include_results_link: Optional[int] = None,
                      action_email_include_search: Optional[int] = None,
                      action_email_include_trigger: Optional[int] = None,
                      action_email_include_trigger_time: Optional[int] = None,
                      action_email_include_view_link: Optional[int] = None,
                      action_email_inline: Optional[bool] = None,
                      action_email_mailserver: Optional[str] = None,
                      action_email_max_results: Optional[int] = None,
                      action_email_max_time: Optional[str] = None,
                      action_email_message_alert: Optional[str] = None,
                      action_email_message_report: Optional[str] = None,
                      action_email_pdfview: Optional[str] = None,
                      action_email_preprocess_results: Optional[str] = None,
                      action_email_report_cid_font_list: Optional[str] = None,
                      action_email_report_include_splunk_logo: Optional[bool] = None,
                      action_email_report_paper_orientation: Optional[str] = None,
                      action_email_report_paper_size: Optional[str] = None,
                      action_email_report_server_enabled: Optional[bool] = None,
                      action_email_report_server_url: Optional[str] = None,
                      action_email_send_csv: Optional[int] = None,
                      action_email_send_pdf: Optional[bool] = None,
                      action_email_send_results: Optional[bool] = None,
                      action_email_subject: Optional[str] = None,
                      action_email_to: Optional[str] = None,
                      action_email_track_alert: Optional[bool] = None,
                      action_email_ttl: Optional[str] = None,
                      action_email_use_ssl: Optional[bool] = None,
                      action_email_use_tls: Optional[bool] = None,
                      action_email_width_sort_columns: Optional[bool] = None,
                      action_jira_service_desk_param_account: Optional[str] = None,
                      action_jira_service_desk_param_jira_description: Optional[str] = None,
                      action_jira_service_desk_param_jira_issue_type: Optional[str] = None,
                      action_jira_service_desk_param_jira_priority: Optional[str] = None,
                      action_jira_service_desk_param_jira_project: Optional[str] = None,
                      action_jira_service_desk_param_jira_summary: Optional[str] = None,
                      action_pagerduty_custom_details: Optional[str] = None,
                      action_pagerduty_integration_key: Optional[str] = None,
                      action_pagerduty_integration_key_override: Optional[str] = None,
                      action_pagerduty_integration_url: Optional[str] = None,
                      action_pagerduty_integration_url_override: Optional[str] = None,
                      action_populate_lookup_command: Optional[str] = None,
                      action_populate_lookup_dest: Optional[str] = None,
                      action_populate_lookup_hostname: Optional[str] = None,
                      action_populate_lookup_max_results: Optional[int] = None,
                      action_populate_lookup_max_time: Optional[int] = None,
                      action_populate_lookup_track_alert: Optional[bool] = None,
                      action_populate_lookup_ttl: Optional[str] = None,
                      action_rss_command: Optional[str] = None,
                      action_rss_hostname: Optional[str] = None,
                      action_rss_max_results: Optional[int] = None,
                      action_rss_max_time: Optional[int] = None,
                      action_rss_track_alert: Optional[bool] = None,
                      action_rss_ttl: Optional[str] = None,
                      action_script_command: Optional[str] = None,
                      action_script_filename: Optional[str] = None,
                      action_script_hostname: Optional[str] = None,
                      action_script_max_results: Optional[int] = None,
                      action_script_max_time: Optional[int] = None,
                      action_script_track_alert: Optional[bool] = None,
                      action_script_ttl: Optional[str] = None,
                      action_slack_param_attachment: Optional[str] = None,
                      action_slack_param_channel: Optional[str] = None,
                      action_slack_param_fields: Optional[str] = None,
                      action_slack_param_message: Optional[str] = None,
                      action_slack_param_webhook_url_override: Optional[str] = None,
                      action_snow_event_param_account: Optional[str] = None,
                      action_snow_event_param_additional_info: Optional[str] = None,
                      action_snow_event_param_ci_identifier: Optional[str] = None,
                      action_snow_event_param_custom_fields: Optional[str] = None,
                      action_snow_event_param_description: Optional[str] = None,
                      action_snow_event_param_node: Optional[str] = None,
                      action_snow_event_param_resource: Optional[str] = None,
                      action_snow_event_param_severity: Optional[int] = None,
                      action_snow_event_param_type: Optional[str] = None,
                      action_summary_index_command: Optional[str] = None,
                      action_summary_index_hostname: Optional[str] = None,
                      action_summary_index_inline: Optional[bool] = None,
                      action_summary_index_max_results: Optional[int] = None,
                      action_summary_index_max_time: Optional[int] = None,
                      action_summary_index_name: Optional[str] = None,
                      action_summary_index_track_alert: Optional[bool] = None,
                      action_summary_index_ttl: Optional[str] = None,
                      action_webhook_param_url: Optional[str] = None,
                      actions: Optional[str] = None,
                      alert_comparator: Optional[str] = None,
                      alert_condition: Optional[str] = None,
                      alert_digest_mode: Optional[bool] = None,
                      alert_expires: Optional[str] = None,
                      alert_severity: Optional[int] = None,
                      alert_suppress: Optional[bool] = None,
                      alert_suppress_fields: Optional[str] = None,
                      alert_suppress_period: Optional[str] = None,
                      alert_threshold: Optional[str] = None,
                      alert_track: Optional[bool] = None,
                      alert_type: Optional[str] = None,
                      allow_skew: Optional[str] = None,
                      auto_summarize: Optional[bool] = None,
                      auto_summarize_command: Optional[str] = None,
                      auto_summarize_cron_schedule: Optional[str] = None,
                      auto_summarize_dispatch_earliest_time: Optional[str] = None,
                      auto_summarize_dispatch_latest_time: Optional[str] = None,
                      auto_summarize_dispatch_time_format: Optional[str] = None,
                      auto_summarize_dispatch_ttl: Optional[str] = None,
                      auto_summarize_max_disabled_buckets: Optional[int] = None,
                      auto_summarize_max_summary_ratio: Optional[float] = None,
                      auto_summarize_max_summary_size: Optional[int] = None,
                      auto_summarize_max_time: Optional[int] = None,
                      auto_summarize_suspend_period: Optional[str] = None,
                      auto_summarize_timespan: Optional[str] = None,
                      cron_schedule: Optional[str] = None,
                      description: Optional[str] = None,
                      disabled: Optional[bool] = None,
                      dispatch_buckets: Optional[int] = None,
                      dispatch_earliest_time: Optional[str] = None,
                      dispatch_index_earliest: Optional[str] = None,
                      dispatch_index_latest: Optional[str] = None,
                      dispatch_indexed_realtime: Optional[bool] = None,
                      dispatch_indexed_realtime_minspan: Optional[int] = None,
                      dispatch_indexed_realtime_offset: Optional[int] = None,
                      dispatch_latest_time: Optional[str] = None,
                      dispatch_lookups: Optional[bool] = None,
                      dispatch_max_count: Optional[int] = None,
                      dispatch_max_time: Optional[int] = None,
                      dispatch_reduce_freq: Optional[int] = None,
                      dispatch_rt_backfill: Optional[bool] = None,
                      dispatch_rt_maximum_span: Optional[int] = None,
                      dispatch_spawn_process: Optional[bool] = None,
                      dispatch_time_format: Optional[str] = None,
                      dispatch_ttl: Optional[str] = None,
                      display_view: Optional[str] = None,
                      is_scheduled: Optional[bool] = None,
                      is_visible: Optional[bool] = None,
                      max_concurrent: Optional[int] = None,
                      name: Optional[str] = None,
                      realtime_schedule: Optional[bool] = None,
                      request_ui_dispatch_app: Optional[str] = None,
                      request_ui_dispatch_view: Optional[str] = None,
                      restart_on_searchpeer_add: Optional[bool] = None,
                      run_on_startup: Optional[bool] = None,
                      schedule_priority: Optional[str] = None,
                      schedule_window: Optional[str] = None,
                      vsid: Optional[str] = None,
                      workload_pool: Optional[str] = None)
    func NewSavedSearches(ctx *Context, name string, args SavedSearchesArgs, opts ...ResourceOption) (*SavedSearches, error)
    public SavedSearches(string name, SavedSearchesArgs args, CustomResourceOptions? opts = null)
    public SavedSearches(String name, SavedSearchesArgs args)
    public SavedSearches(String name, SavedSearchesArgs args, CustomResourceOptions options)
    
    type: splunk:SavedSearches
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SavedSearchesArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SavedSearchesArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SavedSearchesArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SavedSearchesArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SavedSearchesArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var savedSearchesResource = new Splunk.SavedSearches("savedSearchesResource", new()
    {
        Search = "string",
        Acl = new Splunk.Inputs.SavedSearchesAclArgs
        {
            App = "string",
            CanChangePerms = false,
            CanShareApp = false,
            CanShareGlobal = false,
            CanShareUser = false,
            CanWrite = false,
            Owner = "string",
            Reads = new[]
            {
                "string",
            },
            Removable = false,
            Sharing = "string",
            Writes = new[]
            {
                "string",
            },
        },
        ActionCreateXsoarIncident = "string",
        ActionCreateXsoarIncidentParamCustomFields = "string",
        ActionCreateXsoarIncidentParamDetails = "string",
        ActionCreateXsoarIncidentParamIncidentName = "string",
        ActionCreateXsoarIncidentParamOccurred = "string",
        ActionCreateXsoarIncidentParamSendAllServers = "string",
        ActionCreateXsoarIncidentParamServerUrl = "string",
        ActionCreateXsoarIncidentParamSeverity = "string",
        ActionCreateXsoarIncidentParamType = "string",
        ActionEmailAuthPassword = "string",
        ActionEmailAuthUsername = "string",
        ActionEmailBcc = "string",
        ActionEmailCc = "string",
        ActionEmailCommand = "string",
        ActionEmailFormat = "string",
        ActionEmailFrom = "string",
        ActionEmailHostname = "string",
        ActionEmailIncludeResultsLink = 0,
        ActionEmailIncludeSearch = 0,
        ActionEmailIncludeTrigger = 0,
        ActionEmailIncludeTriggerTime = 0,
        ActionEmailIncludeViewLink = 0,
        ActionEmailInline = false,
        ActionEmailMailserver = "string",
        ActionEmailMaxResults = 0,
        ActionEmailMaxTime = "string",
        ActionEmailMessageAlert = "string",
        ActionEmailMessageReport = "string",
        ActionEmailPdfview = "string",
        ActionEmailPreprocessResults = "string",
        ActionEmailReportCidFontList = "string",
        ActionEmailReportIncludeSplunkLogo = false,
        ActionEmailReportPaperOrientation = "string",
        ActionEmailReportPaperSize = "string",
        ActionEmailReportServerEnabled = false,
        ActionEmailReportServerUrl = "string",
        ActionEmailSendCsv = 0,
        ActionEmailSendPdf = false,
        ActionEmailSendResults = false,
        ActionEmailSubject = "string",
        ActionEmailTo = "string",
        ActionEmailTrackAlert = false,
        ActionEmailTtl = "string",
        ActionEmailUseSsl = false,
        ActionEmailUseTls = false,
        ActionEmailWidthSortColumns = false,
        ActionJiraServiceDeskParamAccount = "string",
        ActionJiraServiceDeskParamJiraDescription = "string",
        ActionJiraServiceDeskParamJiraIssueType = "string",
        ActionJiraServiceDeskParamJiraPriority = "string",
        ActionJiraServiceDeskParamJiraProject = "string",
        ActionJiraServiceDeskParamJiraSummary = "string",
        ActionPagerdutyCustomDetails = "string",
        ActionPagerdutyIntegrationKey = "string",
        ActionPagerdutyIntegrationKeyOverride = "string",
        ActionPagerdutyIntegrationUrl = "string",
        ActionPagerdutyIntegrationUrlOverride = "string",
        ActionPopulateLookupCommand = "string",
        ActionPopulateLookupDest = "string",
        ActionPopulateLookupHostname = "string",
        ActionPopulateLookupMaxResults = 0,
        ActionPopulateLookupMaxTime = 0,
        ActionPopulateLookupTrackAlert = false,
        ActionPopulateLookupTtl = "string",
        ActionRssCommand = "string",
        ActionRssHostname = "string",
        ActionRssMaxResults = 0,
        ActionRssMaxTime = 0,
        ActionRssTrackAlert = false,
        ActionRssTtl = "string",
        ActionScriptCommand = "string",
        ActionScriptFilename = "string",
        ActionScriptHostname = "string",
        ActionScriptMaxResults = 0,
        ActionScriptMaxTime = 0,
        ActionScriptTrackAlert = false,
        ActionScriptTtl = "string",
        ActionSlackParamAttachment = "string",
        ActionSlackParamChannel = "string",
        ActionSlackParamFields = "string",
        ActionSlackParamMessage = "string",
        ActionSlackParamWebhookUrlOverride = "string",
        ActionSnowEventParamAccount = "string",
        ActionSnowEventParamAdditionalInfo = "string",
        ActionSnowEventParamCiIdentifier = "string",
        ActionSnowEventParamCustomFields = "string",
        ActionSnowEventParamDescription = "string",
        ActionSnowEventParamNode = "string",
        ActionSnowEventParamResource = "string",
        ActionSnowEventParamSeverity = 0,
        ActionSnowEventParamType = "string",
        ActionSummaryIndexCommand = "string",
        ActionSummaryIndexHostname = "string",
        ActionSummaryIndexInline = false,
        ActionSummaryIndexMaxResults = 0,
        ActionSummaryIndexMaxTime = 0,
        ActionSummaryIndexName = "string",
        ActionSummaryIndexTrackAlert = false,
        ActionSummaryIndexTtl = "string",
        ActionWebhookParamUrl = "string",
        Actions = "string",
        AlertComparator = "string",
        AlertCondition = "string",
        AlertDigestMode = false,
        AlertExpires = "string",
        AlertSeverity = 0,
        AlertSuppress = false,
        AlertSuppressFields = "string",
        AlertSuppressPeriod = "string",
        AlertThreshold = "string",
        AlertTrack = false,
        AlertType = "string",
        AllowSkew = "string",
        AutoSummarize = false,
        AutoSummarizeCommand = "string",
        AutoSummarizeCronSchedule = "string",
        AutoSummarizeDispatchEarliestTime = "string",
        AutoSummarizeDispatchLatestTime = "string",
        AutoSummarizeDispatchTimeFormat = "string",
        AutoSummarizeDispatchTtl = "string",
        AutoSummarizeMaxDisabledBuckets = 0,
        AutoSummarizeMaxSummaryRatio = 0,
        AutoSummarizeMaxSummarySize = 0,
        AutoSummarizeMaxTime = 0,
        AutoSummarizeSuspendPeriod = "string",
        AutoSummarizeTimespan = "string",
        CronSchedule = "string",
        Description = "string",
        Disabled = false,
        DispatchBuckets = 0,
        DispatchEarliestTime = "string",
        DispatchIndexEarliest = "string",
        DispatchIndexLatest = "string",
        DispatchIndexedRealtime = false,
        DispatchIndexedRealtimeMinspan = 0,
        DispatchIndexedRealtimeOffset = 0,
        DispatchLatestTime = "string",
        DispatchLookups = false,
        DispatchMaxCount = 0,
        DispatchMaxTime = 0,
        DispatchReduceFreq = 0,
        DispatchRtBackfill = false,
        DispatchRtMaximumSpan = 0,
        DispatchSpawnProcess = false,
        DispatchTimeFormat = "string",
        DispatchTtl = "string",
        DisplayView = "string",
        IsScheduled = false,
        IsVisible = false,
        MaxConcurrent = 0,
        Name = "string",
        RealtimeSchedule = false,
        RequestUiDispatchApp = "string",
        RequestUiDispatchView = "string",
        RestartOnSearchpeerAdd = false,
        RunOnStartup = false,
        SchedulePriority = "string",
        ScheduleWindow = "string",
        Vsid = "string",
        WorkloadPool = "string",
    });
    
    example, err := splunk.NewSavedSearches(ctx, "savedSearchesResource", &splunk.SavedSearchesArgs{
    	Search: pulumi.String("string"),
    	Acl: &splunk.SavedSearchesAclArgs{
    		App:            pulumi.String("string"),
    		CanChangePerms: pulumi.Bool(false),
    		CanShareApp:    pulumi.Bool(false),
    		CanShareGlobal: pulumi.Bool(false),
    		CanShareUser:   pulumi.Bool(false),
    		CanWrite:       pulumi.Bool(false),
    		Owner:          pulumi.String("string"),
    		Reads: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		Removable: pulumi.Bool(false),
    		Sharing:   pulumi.String("string"),
    		Writes: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	ActionCreateXsoarIncident:                    pulumi.String("string"),
    	ActionCreateXsoarIncidentParamCustomFields:   pulumi.String("string"),
    	ActionCreateXsoarIncidentParamDetails:        pulumi.String("string"),
    	ActionCreateXsoarIncidentParamIncidentName:   pulumi.String("string"),
    	ActionCreateXsoarIncidentParamOccurred:       pulumi.String("string"),
    	ActionCreateXsoarIncidentParamSendAllServers: pulumi.String("string"),
    	ActionCreateXsoarIncidentParamServerUrl:      pulumi.String("string"),
    	ActionCreateXsoarIncidentParamSeverity:       pulumi.String("string"),
    	ActionCreateXsoarIncidentParamType:           pulumi.String("string"),
    	ActionEmailAuthPassword:                      pulumi.String("string"),
    	ActionEmailAuthUsername:                      pulumi.String("string"),
    	ActionEmailBcc:                               pulumi.String("string"),
    	ActionEmailCc:                                pulumi.String("string"),
    	ActionEmailCommand:                           pulumi.String("string"),
    	ActionEmailFormat:                            pulumi.String("string"),
    	ActionEmailFrom:                              pulumi.String("string"),
    	ActionEmailHostname:                          pulumi.String("string"),
    	ActionEmailIncludeResultsLink:                pulumi.Int(0),
    	ActionEmailIncludeSearch:                     pulumi.Int(0),
    	ActionEmailIncludeTrigger:                    pulumi.Int(0),
    	ActionEmailIncludeTriggerTime:                pulumi.Int(0),
    	ActionEmailIncludeViewLink:                   pulumi.Int(0),
    	ActionEmailInline:                            pulumi.Bool(false),
    	ActionEmailMailserver:                        pulumi.String("string"),
    	ActionEmailMaxResults:                        pulumi.Int(0),
    	ActionEmailMaxTime:                           pulumi.String("string"),
    	ActionEmailMessageAlert:                      pulumi.String("string"),
    	ActionEmailMessageReport:                     pulumi.String("string"),
    	ActionEmailPdfview:                           pulumi.String("string"),
    	ActionEmailPreprocessResults:                 pulumi.String("string"),
    	ActionEmailReportCidFontList:                 pulumi.String("string"),
    	ActionEmailReportIncludeSplunkLogo:           pulumi.Bool(false),
    	ActionEmailReportPaperOrientation:            pulumi.String("string"),
    	ActionEmailReportPaperSize:                   pulumi.String("string"),
    	ActionEmailReportServerEnabled:               pulumi.Bool(false),
    	ActionEmailReportServerUrl:                   pulumi.String("string"),
    	ActionEmailSendCsv:                           pulumi.Int(0),
    	ActionEmailSendPdf:                           pulumi.Bool(false),
    	ActionEmailSendResults:                       pulumi.Bool(false),
    	ActionEmailSubject:                           pulumi.String("string"),
    	ActionEmailTo:                                pulumi.String("string"),
    	ActionEmailTrackAlert:                        pulumi.Bool(false),
    	ActionEmailTtl:                               pulumi.String("string"),
    	ActionEmailUseSsl:                            pulumi.Bool(false),
    	ActionEmailUseTls:                            pulumi.Bool(false),
    	ActionEmailWidthSortColumns:                  pulumi.Bool(false),
    	ActionJiraServiceDeskParamAccount:            pulumi.String("string"),
    	ActionJiraServiceDeskParamJiraDescription:    pulumi.String("string"),
    	ActionJiraServiceDeskParamJiraIssueType:      pulumi.String("string"),
    	ActionJiraServiceDeskParamJiraPriority:       pulumi.String("string"),
    	ActionJiraServiceDeskParamJiraProject:        pulumi.String("string"),
    	ActionJiraServiceDeskParamJiraSummary:        pulumi.String("string"),
    	ActionPagerdutyCustomDetails:                 pulumi.String("string"),
    	ActionPagerdutyIntegrationKey:                pulumi.String("string"),
    	ActionPagerdutyIntegrationKeyOverride:        pulumi.String("string"),
    	ActionPagerdutyIntegrationUrl:                pulumi.String("string"),
    	ActionPagerdutyIntegrationUrlOverride:        pulumi.String("string"),
    	ActionPopulateLookupCommand:                  pulumi.String("string"),
    	ActionPopulateLookupDest:                     pulumi.String("string"),
    	ActionPopulateLookupHostname:                 pulumi.String("string"),
    	ActionPopulateLookupMaxResults:               pulumi.Int(0),
    	ActionPopulateLookupMaxTime:                  pulumi.Int(0),
    	ActionPopulateLookupTrackAlert:               pulumi.Bool(false),
    	ActionPopulateLookupTtl:                      pulumi.String("string"),
    	ActionRssCommand:                             pulumi.String("string"),
    	ActionRssHostname:                            pulumi.String("string"),
    	ActionRssMaxResults:                          pulumi.Int(0),
    	ActionRssMaxTime:                             pulumi.Int(0),
    	ActionRssTrackAlert:                          pulumi.Bool(false),
    	ActionRssTtl:                                 pulumi.String("string"),
    	ActionScriptCommand:                          pulumi.String("string"),
    	ActionScriptFilename:                         pulumi.String("string"),
    	ActionScriptHostname:                         pulumi.String("string"),
    	ActionScriptMaxResults:                       pulumi.Int(0),
    	ActionScriptMaxTime:                          pulumi.Int(0),
    	ActionScriptTrackAlert:                       pulumi.Bool(false),
    	ActionScriptTtl:                              pulumi.String("string"),
    	ActionSlackParamAttachment:                   pulumi.String("string"),
    	ActionSlackParamChannel:                      pulumi.String("string"),
    	ActionSlackParamFields:                       pulumi.String("string"),
    	ActionSlackParamMessage:                      pulumi.String("string"),
    	ActionSlackParamWebhookUrlOverride:           pulumi.String("string"),
    	ActionSnowEventParamAccount:                  pulumi.String("string"),
    	ActionSnowEventParamAdditionalInfo:           pulumi.String("string"),
    	ActionSnowEventParamCiIdentifier:             pulumi.String("string"),
    	ActionSnowEventParamCustomFields:             pulumi.String("string"),
    	ActionSnowEventParamDescription:              pulumi.String("string"),
    	ActionSnowEventParamNode:                     pulumi.String("string"),
    	ActionSnowEventParamResource:                 pulumi.String("string"),
    	ActionSnowEventParamSeverity:                 pulumi.Int(0),
    	ActionSnowEventParamType:                     pulumi.String("string"),
    	ActionSummaryIndexCommand:                    pulumi.String("string"),
    	ActionSummaryIndexHostname:                   pulumi.String("string"),
    	ActionSummaryIndexInline:                     pulumi.Bool(false),
    	ActionSummaryIndexMaxResults:                 pulumi.Int(0),
    	ActionSummaryIndexMaxTime:                    pulumi.Int(0),
    	ActionSummaryIndexName:                       pulumi.String("string"),
    	ActionSummaryIndexTrackAlert:                 pulumi.Bool(false),
    	ActionSummaryIndexTtl:                        pulumi.String("string"),
    	ActionWebhookParamUrl:                        pulumi.String("string"),
    	Actions:                                      pulumi.String("string"),
    	AlertComparator:                              pulumi.String("string"),
    	AlertCondition:                               pulumi.String("string"),
    	AlertDigestMode:                              pulumi.Bool(false),
    	AlertExpires:                                 pulumi.String("string"),
    	AlertSeverity:                                pulumi.Int(0),
    	AlertSuppress:                                pulumi.Bool(false),
    	AlertSuppressFields:                          pulumi.String("string"),
    	AlertSuppressPeriod:                          pulumi.String("string"),
    	AlertThreshold:                               pulumi.String("string"),
    	AlertTrack:                                   pulumi.Bool(false),
    	AlertType:                                    pulumi.String("string"),
    	AllowSkew:                                    pulumi.String("string"),
    	AutoSummarize:                                pulumi.Bool(false),
    	AutoSummarizeCommand:                         pulumi.String("string"),
    	AutoSummarizeCronSchedule:                    pulumi.String("string"),
    	AutoSummarizeDispatchEarliestTime:            pulumi.String("string"),
    	AutoSummarizeDispatchLatestTime:              pulumi.String("string"),
    	AutoSummarizeDispatchTimeFormat:              pulumi.String("string"),
    	AutoSummarizeDispatchTtl:                     pulumi.String("string"),
    	AutoSummarizeMaxDisabledBuckets:              pulumi.Int(0),
    	AutoSummarizeMaxSummaryRatio:                 pulumi.Float64(0),
    	AutoSummarizeMaxSummarySize:                  pulumi.Int(0),
    	AutoSummarizeMaxTime:                         pulumi.Int(0),
    	AutoSummarizeSuspendPeriod:                   pulumi.String("string"),
    	AutoSummarizeTimespan:                        pulumi.String("string"),
    	CronSchedule:                                 pulumi.String("string"),
    	Description:                                  pulumi.String("string"),
    	Disabled:                                     pulumi.Bool(false),
    	DispatchBuckets:                              pulumi.Int(0),
    	DispatchEarliestTime:                         pulumi.String("string"),
    	DispatchIndexEarliest:                        pulumi.String("string"),
    	DispatchIndexLatest:                          pulumi.String("string"),
    	DispatchIndexedRealtime:                      pulumi.Bool(false),
    	DispatchIndexedRealtimeMinspan:               pulumi.Int(0),
    	DispatchIndexedRealtimeOffset:                pulumi.Int(0),
    	DispatchLatestTime:                           pulumi.String("string"),
    	DispatchLookups:                              pulumi.Bool(false),
    	DispatchMaxCount:                             pulumi.Int(0),
    	DispatchMaxTime:                              pulumi.Int(0),
    	DispatchReduceFreq:                           pulumi.Int(0),
    	DispatchRtBackfill:                           pulumi.Bool(false),
    	DispatchRtMaximumSpan:                        pulumi.Int(0),
    	DispatchSpawnProcess:                         pulumi.Bool(false),
    	DispatchTimeFormat:                           pulumi.String("string"),
    	DispatchTtl:                                  pulumi.String("string"),
    	DisplayView:                                  pulumi.String("string"),
    	IsScheduled:                                  pulumi.Bool(false),
    	IsVisible:                                    pulumi.Bool(false),
    	MaxConcurrent:                                pulumi.Int(0),
    	Name:                                         pulumi.String("string"),
    	RealtimeSchedule:                             pulumi.Bool(false),
    	RequestUiDispatchApp:                         pulumi.String("string"),
    	RequestUiDispatchView:                        pulumi.String("string"),
    	RestartOnSearchpeerAdd:                       pulumi.Bool(false),
    	RunOnStartup:                                 pulumi.Bool(false),
    	SchedulePriority:                             pulumi.String("string"),
    	ScheduleWindow:                               pulumi.String("string"),
    	Vsid:                                         pulumi.String("string"),
    	WorkloadPool:                                 pulumi.String("string"),
    })
    
    var savedSearchesResource = new SavedSearches("savedSearchesResource", SavedSearchesArgs.builder()
        .search("string")
        .acl(SavedSearchesAclArgs.builder()
            .app("string")
            .canChangePerms(false)
            .canShareApp(false)
            .canShareGlobal(false)
            .canShareUser(false)
            .canWrite(false)
            .owner("string")
            .reads("string")
            .removable(false)
            .sharing("string")
            .writes("string")
            .build())
        .actionCreateXsoarIncident("string")
        .actionCreateXsoarIncidentParamCustomFields("string")
        .actionCreateXsoarIncidentParamDetails("string")
        .actionCreateXsoarIncidentParamIncidentName("string")
        .actionCreateXsoarIncidentParamOccurred("string")
        .actionCreateXsoarIncidentParamSendAllServers("string")
        .actionCreateXsoarIncidentParamServerUrl("string")
        .actionCreateXsoarIncidentParamSeverity("string")
        .actionCreateXsoarIncidentParamType("string")
        .actionEmailAuthPassword("string")
        .actionEmailAuthUsername("string")
        .actionEmailBcc("string")
        .actionEmailCc("string")
        .actionEmailCommand("string")
        .actionEmailFormat("string")
        .actionEmailFrom("string")
        .actionEmailHostname("string")
        .actionEmailIncludeResultsLink(0)
        .actionEmailIncludeSearch(0)
        .actionEmailIncludeTrigger(0)
        .actionEmailIncludeTriggerTime(0)
        .actionEmailIncludeViewLink(0)
        .actionEmailInline(false)
        .actionEmailMailserver("string")
        .actionEmailMaxResults(0)
        .actionEmailMaxTime("string")
        .actionEmailMessageAlert("string")
        .actionEmailMessageReport("string")
        .actionEmailPdfview("string")
        .actionEmailPreprocessResults("string")
        .actionEmailReportCidFontList("string")
        .actionEmailReportIncludeSplunkLogo(false)
        .actionEmailReportPaperOrientation("string")
        .actionEmailReportPaperSize("string")
        .actionEmailReportServerEnabled(false)
        .actionEmailReportServerUrl("string")
        .actionEmailSendCsv(0)
        .actionEmailSendPdf(false)
        .actionEmailSendResults(false)
        .actionEmailSubject("string")
        .actionEmailTo("string")
        .actionEmailTrackAlert(false)
        .actionEmailTtl("string")
        .actionEmailUseSsl(false)
        .actionEmailUseTls(false)
        .actionEmailWidthSortColumns(false)
        .actionJiraServiceDeskParamAccount("string")
        .actionJiraServiceDeskParamJiraDescription("string")
        .actionJiraServiceDeskParamJiraIssueType("string")
        .actionJiraServiceDeskParamJiraPriority("string")
        .actionJiraServiceDeskParamJiraProject("string")
        .actionJiraServiceDeskParamJiraSummary("string")
        .actionPagerdutyCustomDetails("string")
        .actionPagerdutyIntegrationKey("string")
        .actionPagerdutyIntegrationKeyOverride("string")
        .actionPagerdutyIntegrationUrl("string")
        .actionPagerdutyIntegrationUrlOverride("string")
        .actionPopulateLookupCommand("string")
        .actionPopulateLookupDest("string")
        .actionPopulateLookupHostname("string")
        .actionPopulateLookupMaxResults(0)
        .actionPopulateLookupMaxTime(0)
        .actionPopulateLookupTrackAlert(false)
        .actionPopulateLookupTtl("string")
        .actionRssCommand("string")
        .actionRssHostname("string")
        .actionRssMaxResults(0)
        .actionRssMaxTime(0)
        .actionRssTrackAlert(false)
        .actionRssTtl("string")
        .actionScriptCommand("string")
        .actionScriptFilename("string")
        .actionScriptHostname("string")
        .actionScriptMaxResults(0)
        .actionScriptMaxTime(0)
        .actionScriptTrackAlert(false)
        .actionScriptTtl("string")
        .actionSlackParamAttachment("string")
        .actionSlackParamChannel("string")
        .actionSlackParamFields("string")
        .actionSlackParamMessage("string")
        .actionSlackParamWebhookUrlOverride("string")
        .actionSnowEventParamAccount("string")
        .actionSnowEventParamAdditionalInfo("string")
        .actionSnowEventParamCiIdentifier("string")
        .actionSnowEventParamCustomFields("string")
        .actionSnowEventParamDescription("string")
        .actionSnowEventParamNode("string")
        .actionSnowEventParamResource("string")
        .actionSnowEventParamSeverity(0)
        .actionSnowEventParamType("string")
        .actionSummaryIndexCommand("string")
        .actionSummaryIndexHostname("string")
        .actionSummaryIndexInline(false)
        .actionSummaryIndexMaxResults(0)
        .actionSummaryIndexMaxTime(0)
        .actionSummaryIndexName("string")
        .actionSummaryIndexTrackAlert(false)
        .actionSummaryIndexTtl("string")
        .actionWebhookParamUrl("string")
        .actions("string")
        .alertComparator("string")
        .alertCondition("string")
        .alertDigestMode(false)
        .alertExpires("string")
        .alertSeverity(0)
        .alertSuppress(false)
        .alertSuppressFields("string")
        .alertSuppressPeriod("string")
        .alertThreshold("string")
        .alertTrack(false)
        .alertType("string")
        .allowSkew("string")
        .autoSummarize(false)
        .autoSummarizeCommand("string")
        .autoSummarizeCronSchedule("string")
        .autoSummarizeDispatchEarliestTime("string")
        .autoSummarizeDispatchLatestTime("string")
        .autoSummarizeDispatchTimeFormat("string")
        .autoSummarizeDispatchTtl("string")
        .autoSummarizeMaxDisabledBuckets(0)
        .autoSummarizeMaxSummaryRatio(0)
        .autoSummarizeMaxSummarySize(0)
        .autoSummarizeMaxTime(0)
        .autoSummarizeSuspendPeriod("string")
        .autoSummarizeTimespan("string")
        .cronSchedule("string")
        .description("string")
        .disabled(false)
        .dispatchBuckets(0)
        .dispatchEarliestTime("string")
        .dispatchIndexEarliest("string")
        .dispatchIndexLatest("string")
        .dispatchIndexedRealtime(false)
        .dispatchIndexedRealtimeMinspan(0)
        .dispatchIndexedRealtimeOffset(0)
        .dispatchLatestTime("string")
        .dispatchLookups(false)
        .dispatchMaxCount(0)
        .dispatchMaxTime(0)
        .dispatchReduceFreq(0)
        .dispatchRtBackfill(false)
        .dispatchRtMaximumSpan(0)
        .dispatchSpawnProcess(false)
        .dispatchTimeFormat("string")
        .dispatchTtl("string")
        .displayView("string")
        .isScheduled(false)
        .isVisible(false)
        .maxConcurrent(0)
        .name("string")
        .realtimeSchedule(false)
        .requestUiDispatchApp("string")
        .requestUiDispatchView("string")
        .restartOnSearchpeerAdd(false)
        .runOnStartup(false)
        .schedulePriority("string")
        .scheduleWindow("string")
        .vsid("string")
        .workloadPool("string")
        .build());
    
    saved_searches_resource = splunk.SavedSearches("savedSearchesResource",
        search="string",
        acl=splunk.SavedSearchesAclArgs(
            app="string",
            can_change_perms=False,
            can_share_app=False,
            can_share_global=False,
            can_share_user=False,
            can_write=False,
            owner="string",
            reads=["string"],
            removable=False,
            sharing="string",
            writes=["string"],
        ),
        action_create_xsoar_incident="string",
        action_create_xsoar_incident_param_custom_fields="string",
        action_create_xsoar_incident_param_details="string",
        action_create_xsoar_incident_param_incident_name="string",
        action_create_xsoar_incident_param_occurred="string",
        action_create_xsoar_incident_param_send_all_servers="string",
        action_create_xsoar_incident_param_server_url="string",
        action_create_xsoar_incident_param_severity="string",
        action_create_xsoar_incident_param_type="string",
        action_email_auth_password="string",
        action_email_auth_username="string",
        action_email_bcc="string",
        action_email_cc="string",
        action_email_command="string",
        action_email_format="string",
        action_email_from="string",
        action_email_hostname="string",
        action_email_include_results_link=0,
        action_email_include_search=0,
        action_email_include_trigger=0,
        action_email_include_trigger_time=0,
        action_email_include_view_link=0,
        action_email_inline=False,
        action_email_mailserver="string",
        action_email_max_results=0,
        action_email_max_time="string",
        action_email_message_alert="string",
        action_email_message_report="string",
        action_email_pdfview="string",
        action_email_preprocess_results="string",
        action_email_report_cid_font_list="string",
        action_email_report_include_splunk_logo=False,
        action_email_report_paper_orientation="string",
        action_email_report_paper_size="string",
        action_email_report_server_enabled=False,
        action_email_report_server_url="string",
        action_email_send_csv=0,
        action_email_send_pdf=False,
        action_email_send_results=False,
        action_email_subject="string",
        action_email_to="string",
        action_email_track_alert=False,
        action_email_ttl="string",
        action_email_use_ssl=False,
        action_email_use_tls=False,
        action_email_width_sort_columns=False,
        action_jira_service_desk_param_account="string",
        action_jira_service_desk_param_jira_description="string",
        action_jira_service_desk_param_jira_issue_type="string",
        action_jira_service_desk_param_jira_priority="string",
        action_jira_service_desk_param_jira_project="string",
        action_jira_service_desk_param_jira_summary="string",
        action_pagerduty_custom_details="string",
        action_pagerduty_integration_key="string",
        action_pagerduty_integration_key_override="string",
        action_pagerduty_integration_url="string",
        action_pagerduty_integration_url_override="string",
        action_populate_lookup_command="string",
        action_populate_lookup_dest="string",
        action_populate_lookup_hostname="string",
        action_populate_lookup_max_results=0,
        action_populate_lookup_max_time=0,
        action_populate_lookup_track_alert=False,
        action_populate_lookup_ttl="string",
        action_rss_command="string",
        action_rss_hostname="string",
        action_rss_max_results=0,
        action_rss_max_time=0,
        action_rss_track_alert=False,
        action_rss_ttl="string",
        action_script_command="string",
        action_script_filename="string",
        action_script_hostname="string",
        action_script_max_results=0,
        action_script_max_time=0,
        action_script_track_alert=False,
        action_script_ttl="string",
        action_slack_param_attachment="string",
        action_slack_param_channel="string",
        action_slack_param_fields="string",
        action_slack_param_message="string",
        action_slack_param_webhook_url_override="string",
        action_snow_event_param_account="string",
        action_snow_event_param_additional_info="string",
        action_snow_event_param_ci_identifier="string",
        action_snow_event_param_custom_fields="string",
        action_snow_event_param_description="string",
        action_snow_event_param_node="string",
        action_snow_event_param_resource="string",
        action_snow_event_param_severity=0,
        action_snow_event_param_type="string",
        action_summary_index_command="string",
        action_summary_index_hostname="string",
        action_summary_index_inline=False,
        action_summary_index_max_results=0,
        action_summary_index_max_time=0,
        action_summary_index_name="string",
        action_summary_index_track_alert=False,
        action_summary_index_ttl="string",
        action_webhook_param_url="string",
        actions="string",
        alert_comparator="string",
        alert_condition="string",
        alert_digest_mode=False,
        alert_expires="string",
        alert_severity=0,
        alert_suppress=False,
        alert_suppress_fields="string",
        alert_suppress_period="string",
        alert_threshold="string",
        alert_track=False,
        alert_type="string",
        allow_skew="string",
        auto_summarize=False,
        auto_summarize_command="string",
        auto_summarize_cron_schedule="string",
        auto_summarize_dispatch_earliest_time="string",
        auto_summarize_dispatch_latest_time="string",
        auto_summarize_dispatch_time_format="string",
        auto_summarize_dispatch_ttl="string",
        auto_summarize_max_disabled_buckets=0,
        auto_summarize_max_summary_ratio=0,
        auto_summarize_max_summary_size=0,
        auto_summarize_max_time=0,
        auto_summarize_suspend_period="string",
        auto_summarize_timespan="string",
        cron_schedule="string",
        description="string",
        disabled=False,
        dispatch_buckets=0,
        dispatch_earliest_time="string",
        dispatch_index_earliest="string",
        dispatch_index_latest="string",
        dispatch_indexed_realtime=False,
        dispatch_indexed_realtime_minspan=0,
        dispatch_indexed_realtime_offset=0,
        dispatch_latest_time="string",
        dispatch_lookups=False,
        dispatch_max_count=0,
        dispatch_max_time=0,
        dispatch_reduce_freq=0,
        dispatch_rt_backfill=False,
        dispatch_rt_maximum_span=0,
        dispatch_spawn_process=False,
        dispatch_time_format="string",
        dispatch_ttl="string",
        display_view="string",
        is_scheduled=False,
        is_visible=False,
        max_concurrent=0,
        name="string",
        realtime_schedule=False,
        request_ui_dispatch_app="string",
        request_ui_dispatch_view="string",
        restart_on_searchpeer_add=False,
        run_on_startup=False,
        schedule_priority="string",
        schedule_window="string",
        vsid="string",
        workload_pool="string")
    
    const savedSearchesResource = new splunk.SavedSearches("savedSearchesResource", {
        search: "string",
        acl: {
            app: "string",
            canChangePerms: false,
            canShareApp: false,
            canShareGlobal: false,
            canShareUser: false,
            canWrite: false,
            owner: "string",
            reads: ["string"],
            removable: false,
            sharing: "string",
            writes: ["string"],
        },
        actionCreateXsoarIncident: "string",
        actionCreateXsoarIncidentParamCustomFields: "string",
        actionCreateXsoarIncidentParamDetails: "string",
        actionCreateXsoarIncidentParamIncidentName: "string",
        actionCreateXsoarIncidentParamOccurred: "string",
        actionCreateXsoarIncidentParamSendAllServers: "string",
        actionCreateXsoarIncidentParamServerUrl: "string",
        actionCreateXsoarIncidentParamSeverity: "string",
        actionCreateXsoarIncidentParamType: "string",
        actionEmailAuthPassword: "string",
        actionEmailAuthUsername: "string",
        actionEmailBcc: "string",
        actionEmailCc: "string",
        actionEmailCommand: "string",
        actionEmailFormat: "string",
        actionEmailFrom: "string",
        actionEmailHostname: "string",
        actionEmailIncludeResultsLink: 0,
        actionEmailIncludeSearch: 0,
        actionEmailIncludeTrigger: 0,
        actionEmailIncludeTriggerTime: 0,
        actionEmailIncludeViewLink: 0,
        actionEmailInline: false,
        actionEmailMailserver: "string",
        actionEmailMaxResults: 0,
        actionEmailMaxTime: "string",
        actionEmailMessageAlert: "string",
        actionEmailMessageReport: "string",
        actionEmailPdfview: "string",
        actionEmailPreprocessResults: "string",
        actionEmailReportCidFontList: "string",
        actionEmailReportIncludeSplunkLogo: false,
        actionEmailReportPaperOrientation: "string",
        actionEmailReportPaperSize: "string",
        actionEmailReportServerEnabled: false,
        actionEmailReportServerUrl: "string",
        actionEmailSendCsv: 0,
        actionEmailSendPdf: false,
        actionEmailSendResults: false,
        actionEmailSubject: "string",
        actionEmailTo: "string",
        actionEmailTrackAlert: false,
        actionEmailTtl: "string",
        actionEmailUseSsl: false,
        actionEmailUseTls: false,
        actionEmailWidthSortColumns: false,
        actionJiraServiceDeskParamAccount: "string",
        actionJiraServiceDeskParamJiraDescription: "string",
        actionJiraServiceDeskParamJiraIssueType: "string",
        actionJiraServiceDeskParamJiraPriority: "string",
        actionJiraServiceDeskParamJiraProject: "string",
        actionJiraServiceDeskParamJiraSummary: "string",
        actionPagerdutyCustomDetails: "string",
        actionPagerdutyIntegrationKey: "string",
        actionPagerdutyIntegrationKeyOverride: "string",
        actionPagerdutyIntegrationUrl: "string",
        actionPagerdutyIntegrationUrlOverride: "string",
        actionPopulateLookupCommand: "string",
        actionPopulateLookupDest: "string",
        actionPopulateLookupHostname: "string",
        actionPopulateLookupMaxResults: 0,
        actionPopulateLookupMaxTime: 0,
        actionPopulateLookupTrackAlert: false,
        actionPopulateLookupTtl: "string",
        actionRssCommand: "string",
        actionRssHostname: "string",
        actionRssMaxResults: 0,
        actionRssMaxTime: 0,
        actionRssTrackAlert: false,
        actionRssTtl: "string",
        actionScriptCommand: "string",
        actionScriptFilename: "string",
        actionScriptHostname: "string",
        actionScriptMaxResults: 0,
        actionScriptMaxTime: 0,
        actionScriptTrackAlert: false,
        actionScriptTtl: "string",
        actionSlackParamAttachment: "string",
        actionSlackParamChannel: "string",
        actionSlackParamFields: "string",
        actionSlackParamMessage: "string",
        actionSlackParamWebhookUrlOverride: "string",
        actionSnowEventParamAccount: "string",
        actionSnowEventParamAdditionalInfo: "string",
        actionSnowEventParamCiIdentifier: "string",
        actionSnowEventParamCustomFields: "string",
        actionSnowEventParamDescription: "string",
        actionSnowEventParamNode: "string",
        actionSnowEventParamResource: "string",
        actionSnowEventParamSeverity: 0,
        actionSnowEventParamType: "string",
        actionSummaryIndexCommand: "string",
        actionSummaryIndexHostname: "string",
        actionSummaryIndexInline: false,
        actionSummaryIndexMaxResults: 0,
        actionSummaryIndexMaxTime: 0,
        actionSummaryIndexName: "string",
        actionSummaryIndexTrackAlert: false,
        actionSummaryIndexTtl: "string",
        actionWebhookParamUrl: "string",
        actions: "string",
        alertComparator: "string",
        alertCondition: "string",
        alertDigestMode: false,
        alertExpires: "string",
        alertSeverity: 0,
        alertSuppress: false,
        alertSuppressFields: "string",
        alertSuppressPeriod: "string",
        alertThreshold: "string",
        alertTrack: false,
        alertType: "string",
        allowSkew: "string",
        autoSummarize: false,
        autoSummarizeCommand: "string",
        autoSummarizeCronSchedule: "string",
        autoSummarizeDispatchEarliestTime: "string",
        autoSummarizeDispatchLatestTime: "string",
        autoSummarizeDispatchTimeFormat: "string",
        autoSummarizeDispatchTtl: "string",
        autoSummarizeMaxDisabledBuckets: 0,
        autoSummarizeMaxSummaryRatio: 0,
        autoSummarizeMaxSummarySize: 0,
        autoSummarizeMaxTime: 0,
        autoSummarizeSuspendPeriod: "string",
        autoSummarizeTimespan: "string",
        cronSchedule: "string",
        description: "string",
        disabled: false,
        dispatchBuckets: 0,
        dispatchEarliestTime: "string",
        dispatchIndexEarliest: "string",
        dispatchIndexLatest: "string",
        dispatchIndexedRealtime: false,
        dispatchIndexedRealtimeMinspan: 0,
        dispatchIndexedRealtimeOffset: 0,
        dispatchLatestTime: "string",
        dispatchLookups: false,
        dispatchMaxCount: 0,
        dispatchMaxTime: 0,
        dispatchReduceFreq: 0,
        dispatchRtBackfill: false,
        dispatchRtMaximumSpan: 0,
        dispatchSpawnProcess: false,
        dispatchTimeFormat: "string",
        dispatchTtl: "string",
        displayView: "string",
        isScheduled: false,
        isVisible: false,
        maxConcurrent: 0,
        name: "string",
        realtimeSchedule: false,
        requestUiDispatchApp: "string",
        requestUiDispatchView: "string",
        restartOnSearchpeerAdd: false,
        runOnStartup: false,
        schedulePriority: "string",
        scheduleWindow: "string",
        vsid: "string",
        workloadPool: "string",
    });
    
    type: splunk:SavedSearches
    properties:
        acl:
            app: string
            canChangePerms: false
            canShareApp: false
            canShareGlobal: false
            canShareUser: false
            canWrite: false
            owner: string
            reads:
                - string
            removable: false
            sharing: string
            writes:
                - string
        actionCreateXsoarIncident: string
        actionCreateXsoarIncidentParamCustomFields: string
        actionCreateXsoarIncidentParamDetails: string
        actionCreateXsoarIncidentParamIncidentName: string
        actionCreateXsoarIncidentParamOccurred: string
        actionCreateXsoarIncidentParamSendAllServers: string
        actionCreateXsoarIncidentParamServerUrl: string
        actionCreateXsoarIncidentParamSeverity: string
        actionCreateXsoarIncidentParamType: string
        actionEmailAuthPassword: string
        actionEmailAuthUsername: string
        actionEmailBcc: string
        actionEmailCc: string
        actionEmailCommand: string
        actionEmailFormat: string
        actionEmailFrom: string
        actionEmailHostname: string
        actionEmailIncludeResultsLink: 0
        actionEmailIncludeSearch: 0
        actionEmailIncludeTrigger: 0
        actionEmailIncludeTriggerTime: 0
        actionEmailIncludeViewLink: 0
        actionEmailInline: false
        actionEmailMailserver: string
        actionEmailMaxResults: 0
        actionEmailMaxTime: string
        actionEmailMessageAlert: string
        actionEmailMessageReport: string
        actionEmailPdfview: string
        actionEmailPreprocessResults: string
        actionEmailReportCidFontList: string
        actionEmailReportIncludeSplunkLogo: false
        actionEmailReportPaperOrientation: string
        actionEmailReportPaperSize: string
        actionEmailReportServerEnabled: false
        actionEmailReportServerUrl: string
        actionEmailSendCsv: 0
        actionEmailSendPdf: false
        actionEmailSendResults: false
        actionEmailSubject: string
        actionEmailTo: string
        actionEmailTrackAlert: false
        actionEmailTtl: string
        actionEmailUseSsl: false
        actionEmailUseTls: false
        actionEmailWidthSortColumns: false
        actionJiraServiceDeskParamAccount: string
        actionJiraServiceDeskParamJiraDescription: string
        actionJiraServiceDeskParamJiraIssueType: string
        actionJiraServiceDeskParamJiraPriority: string
        actionJiraServiceDeskParamJiraProject: string
        actionJiraServiceDeskParamJiraSummary: string
        actionPagerdutyCustomDetails: string
        actionPagerdutyIntegrationKey: string
        actionPagerdutyIntegrationKeyOverride: string
        actionPagerdutyIntegrationUrl: string
        actionPagerdutyIntegrationUrlOverride: string
        actionPopulateLookupCommand: string
        actionPopulateLookupDest: string
        actionPopulateLookupHostname: string
        actionPopulateLookupMaxResults: 0
        actionPopulateLookupMaxTime: 0
        actionPopulateLookupTrackAlert: false
        actionPopulateLookupTtl: string
        actionRssCommand: string
        actionRssHostname: string
        actionRssMaxResults: 0
        actionRssMaxTime: 0
        actionRssTrackAlert: false
        actionRssTtl: string
        actionScriptCommand: string
        actionScriptFilename: string
        actionScriptHostname: string
        actionScriptMaxResults: 0
        actionScriptMaxTime: 0
        actionScriptTrackAlert: false
        actionScriptTtl: string
        actionSlackParamAttachment: string
        actionSlackParamChannel: string
        actionSlackParamFields: string
        actionSlackParamMessage: string
        actionSlackParamWebhookUrlOverride: string
        actionSnowEventParamAccount: string
        actionSnowEventParamAdditionalInfo: string
        actionSnowEventParamCiIdentifier: string
        actionSnowEventParamCustomFields: string
        actionSnowEventParamDescription: string
        actionSnowEventParamNode: string
        actionSnowEventParamResource: string
        actionSnowEventParamSeverity: 0
        actionSnowEventParamType: string
        actionSummaryIndexCommand: string
        actionSummaryIndexHostname: string
        actionSummaryIndexInline: false
        actionSummaryIndexMaxResults: 0
        actionSummaryIndexMaxTime: 0
        actionSummaryIndexName: string
        actionSummaryIndexTrackAlert: false
        actionSummaryIndexTtl: string
        actionWebhookParamUrl: string
        actions: string
        alertComparator: string
        alertCondition: string
        alertDigestMode: false
        alertExpires: string
        alertSeverity: 0
        alertSuppress: false
        alertSuppressFields: string
        alertSuppressPeriod: string
        alertThreshold: string
        alertTrack: false
        alertType: string
        allowSkew: string
        autoSummarize: false
        autoSummarizeCommand: string
        autoSummarizeCronSchedule: string
        autoSummarizeDispatchEarliestTime: string
        autoSummarizeDispatchLatestTime: string
        autoSummarizeDispatchTimeFormat: string
        autoSummarizeDispatchTtl: string
        autoSummarizeMaxDisabledBuckets: 0
        autoSummarizeMaxSummaryRatio: 0
        autoSummarizeMaxSummarySize: 0
        autoSummarizeMaxTime: 0
        autoSummarizeSuspendPeriod: string
        autoSummarizeTimespan: string
        cronSchedule: string
        description: string
        disabled: false
        dispatchBuckets: 0
        dispatchEarliestTime: string
        dispatchIndexEarliest: string
        dispatchIndexLatest: string
        dispatchIndexedRealtime: false
        dispatchIndexedRealtimeMinspan: 0
        dispatchIndexedRealtimeOffset: 0
        dispatchLatestTime: string
        dispatchLookups: false
        dispatchMaxCount: 0
        dispatchMaxTime: 0
        dispatchReduceFreq: 0
        dispatchRtBackfill: false
        dispatchRtMaximumSpan: 0
        dispatchSpawnProcess: false
        dispatchTimeFormat: string
        dispatchTtl: string
        displayView: string
        isScheduled: false
        isVisible: false
        maxConcurrent: 0
        name: string
        realtimeSchedule: false
        requestUiDispatchApp: string
        requestUiDispatchView: string
        restartOnSearchpeerAdd: false
        runOnStartup: false
        schedulePriority: string
        scheduleWindow: string
        search: string
        vsid: string
        workloadPool: string
    

    SavedSearches Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SavedSearches resource accepts the following input properties:

    Search string
    Required when creating a new search.
    Acl SavedSearchesAcl
    The app/user context that is the namespace for the resource
    ActionCreateXsoarIncident string
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    ActionCreateXsoarIncidentParamCustomFields string
    XSOAR custom incident fields (should be a comma separated list)
    ActionCreateXsoarIncidentParamDetails string
    XSOAR incident description
    ActionCreateXsoarIncidentParamIncidentName string
    XSOAR incident name
    ActionCreateXsoarIncidentParamOccurred string
    XSOAR incident time
    ActionCreateXsoarIncidentParamSendAllServers string
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    ActionCreateXsoarIncidentParamServerUrl string
    XSOAR Server instance URL (Should start with https:// || http://)
    ActionCreateXsoarIncidentParamSeverity string
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    ActionCreateXsoarIncidentParamType string
    XSOAR incident type
    ActionEmailAuthPassword string
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    ActionEmailAuthUsername string
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    ActionEmailBcc string
    BCC email address to use if action.email is enabled.
    ActionEmailCc string
    CC email address to use if action.email is enabled.
    ActionEmailCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionEmailFormat string
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    ActionEmailFrom string
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    ActionEmailHostname string
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    ActionEmailIncludeResultsLink int
    Specify whether to include a link to the results. Defaults to 0.
    ActionEmailIncludeSearch int
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    ActionEmailIncludeTrigger int
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    ActionEmailIncludeTriggerTime int
    Specify whether to show the time that the alert was fired. Defaults to 0.
    ActionEmailIncludeViewLink int
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    ActionEmailInline bool
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    ActionEmailMailserver string
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    ActionEmailMaxResults int
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    ActionEmailMaxTime string
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    ActionEmailMessageAlert string
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    ActionEmailMessageReport string
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    ActionEmailPdfview string
    The name of the view to deliver if sendpdf is enabled
    ActionEmailPreprocessResults string
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    ActionEmailReportCidFontList string
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    ActionEmailReportIncludeSplunkLogo bool
    Indicates whether to include the Splunk logo with the report.
    ActionEmailReportPaperOrientation string
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    ActionEmailReportPaperSize string
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    ActionEmailReportServerEnabled bool
    No Supported
    ActionEmailReportServerUrl string
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    ActionEmailSendCsv int
    Specify whether to send results as a CSV file. Defaults to 0.
    ActionEmailSendPdf bool
    Indicates whether to create and send the results as a PDF. Defaults to false.
    ActionEmailSendResults bool
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    ActionEmailSubject string
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    ActionEmailTo string
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    ActionEmailTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionEmailTtl string
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    ActionEmailUseSsl bool
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    ActionEmailUseTls bool
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    ActionEmailWidthSortColumns bool
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    ActionJiraServiceDeskParamAccount string
    Jira Service Desk account name
    ActionJiraServiceDeskParamJiraDescription string
    Jira issue description
    ActionJiraServiceDeskParamJiraIssueType string
    Jira issue type name
    ActionJiraServiceDeskParamJiraPriority string
    Jira priority of issue
    ActionJiraServiceDeskParamJiraProject string
    Jira Project name
    ActionJiraServiceDeskParamJiraSummary string
    Jira issue title/summary
    ActionPagerdutyCustomDetails string
    The PagerDuty custom details information.
    ActionPagerdutyIntegrationKey string
    The PagerDuty integration Key.
    ActionPagerdutyIntegrationKeyOverride string
    The PagerDuty integration Key override.
    ActionPagerdutyIntegrationUrl string
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPagerdutyIntegrationUrlOverride string
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPopulateLookupCommand string
    The search command (or pipeline) which is responsible for executing the action.
    ActionPopulateLookupDest string
    Lookup name of path of the lookup to populate
    ActionPopulateLookupHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionPopulateLookupMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionPopulateLookupMaxTime int
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    ActionPopulateLookupTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionPopulateLookupTtl string
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    ActionRssCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionRssHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionRssMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionRssMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionRssTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionRssTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionScriptCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionScriptFilename string
    File name of the script to call. Required if script action is enabled
    ActionScriptHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionScriptMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionScriptMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionScriptTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionScriptTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionSlackParamAttachment string
    Include a message attachment. Valid values are message, none, or alert_link
    ActionSlackParamChannel string
    Slack channel to send the message to (Should start with # or @)
    ActionSlackParamFields string
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    ActionSlackParamMessage string
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    ActionSlackParamWebhookUrlOverride string
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    ActionSnowEventParamAccount string
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    ActionSnowEventParamAdditionalInfo string
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    ActionSnowEventParamCiIdentifier string
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    ActionSnowEventParamCustomFields string
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    ActionSnowEventParamDescription string
    A brief description of the event.
    ActionSnowEventParamNode string
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    ActionSnowEventParamResource string
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    ActionSnowEventParamSeverity int
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    ActionSnowEventParamType string
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    ActionSummaryIndexCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionSummaryIndexHostname string
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionSummaryIndexInline bool
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    ActionSummaryIndexMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionSummaryIndexMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionSummaryIndexName string
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    ActionSummaryIndexTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionSummaryIndexTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionWebhookParamUrl string
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    Actions string
    A comma-separated list of actions to enable. For example: rss,email
    AlertComparator string
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    AlertCondition string
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    AlertDigestMode bool
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    AlertExpires string
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertSeverity int
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    AlertSuppress bool
    Indicates whether alert suppression is enabled for this scheduled search.
    AlertSuppressFields string
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    AlertSuppressPeriod string
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertThreshold string
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    AlertTrack bool
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    AlertType string
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    AllowSkew string
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    AutoSummarize bool
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    AutoSummarizeCommand string
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    AutoSummarizeCronSchedule string
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    AutoSummarizeDispatchEarliestTime string
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchLatestTime string
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchTimeFormat string
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    AutoSummarizeDispatchTtl string
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    AutoSummarizeMaxDisabledBuckets int
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    AutoSummarizeMaxSummaryRatio double
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    AutoSummarizeMaxSummarySize int
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    AutoSummarizeMaxTime int
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    AutoSummarizeSuspendPeriod string
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    AutoSummarizeTimespan string
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    CronSchedule string
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    Description string
    Human-readable description of this saved search. Defaults to empty string.
    Disabled bool
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    DispatchBuckets int
    The maximum number of timeline buckets. Defaults to 0.
    DispatchEarliestTime string
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexEarliest string
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexLatest string
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtime bool
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtimeMinspan int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchIndexedRealtimeOffset int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchLatestTime string
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchLookups bool
    Enables or disables the lookups for this search. Defaults to 1.
    DispatchMaxCount int
    The maximum number of results before finalizing the search. Defaults to 500000.
    DispatchMaxTime int
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    DispatchReduceFreq int
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    DispatchRtBackfill bool
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    DispatchRtMaximumSpan int
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    DispatchSpawnProcess bool
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    DispatchTimeFormat string
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    DispatchTtl string
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    DisplayView string
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    IsScheduled bool
    Whether this search is to be run on a schedule
    IsVisible bool
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    MaxConcurrent int
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    Name string
    A name for the search.
    RealtimeSchedule bool
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    RequestUiDispatchApp string
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    RequestUiDispatchView string
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    RestartOnSearchpeerAdd bool
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    RunOnStartup bool
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    SchedulePriority string
    Raises the scheduling priority of the named search. Defaults to Default
    ScheduleWindow string
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    Vsid string
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    WorkloadPool string
    Specifies the new workload pool where the existing running search will be placed.`
    Search string
    Required when creating a new search.
    Acl SavedSearchesAclArgs
    The app/user context that is the namespace for the resource
    ActionCreateXsoarIncident string
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    ActionCreateXsoarIncidentParamCustomFields string
    XSOAR custom incident fields (should be a comma separated list)
    ActionCreateXsoarIncidentParamDetails string
    XSOAR incident description
    ActionCreateXsoarIncidentParamIncidentName string
    XSOAR incident name
    ActionCreateXsoarIncidentParamOccurred string
    XSOAR incident time
    ActionCreateXsoarIncidentParamSendAllServers string
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    ActionCreateXsoarIncidentParamServerUrl string
    XSOAR Server instance URL (Should start with https:// || http://)
    ActionCreateXsoarIncidentParamSeverity string
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    ActionCreateXsoarIncidentParamType string
    XSOAR incident type
    ActionEmailAuthPassword string
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    ActionEmailAuthUsername string
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    ActionEmailBcc string
    BCC email address to use if action.email is enabled.
    ActionEmailCc string
    CC email address to use if action.email is enabled.
    ActionEmailCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionEmailFormat string
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    ActionEmailFrom string
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    ActionEmailHostname string
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    ActionEmailIncludeResultsLink int
    Specify whether to include a link to the results. Defaults to 0.
    ActionEmailIncludeSearch int
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    ActionEmailIncludeTrigger int
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    ActionEmailIncludeTriggerTime int
    Specify whether to show the time that the alert was fired. Defaults to 0.
    ActionEmailIncludeViewLink int
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    ActionEmailInline bool
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    ActionEmailMailserver string
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    ActionEmailMaxResults int
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    ActionEmailMaxTime string
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    ActionEmailMessageAlert string
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    ActionEmailMessageReport string
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    ActionEmailPdfview string
    The name of the view to deliver if sendpdf is enabled
    ActionEmailPreprocessResults string
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    ActionEmailReportCidFontList string
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    ActionEmailReportIncludeSplunkLogo bool
    Indicates whether to include the Splunk logo with the report.
    ActionEmailReportPaperOrientation string
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    ActionEmailReportPaperSize string
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    ActionEmailReportServerEnabled bool
    No Supported
    ActionEmailReportServerUrl string
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    ActionEmailSendCsv int
    Specify whether to send results as a CSV file. Defaults to 0.
    ActionEmailSendPdf bool
    Indicates whether to create and send the results as a PDF. Defaults to false.
    ActionEmailSendResults bool
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    ActionEmailSubject string
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    ActionEmailTo string
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    ActionEmailTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionEmailTtl string
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    ActionEmailUseSsl bool
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    ActionEmailUseTls bool
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    ActionEmailWidthSortColumns bool
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    ActionJiraServiceDeskParamAccount string
    Jira Service Desk account name
    ActionJiraServiceDeskParamJiraDescription string
    Jira issue description
    ActionJiraServiceDeskParamJiraIssueType string
    Jira issue type name
    ActionJiraServiceDeskParamJiraPriority string
    Jira priority of issue
    ActionJiraServiceDeskParamJiraProject string
    Jira Project name
    ActionJiraServiceDeskParamJiraSummary string
    Jira issue title/summary
    ActionPagerdutyCustomDetails string
    The PagerDuty custom details information.
    ActionPagerdutyIntegrationKey string
    The PagerDuty integration Key.
    ActionPagerdutyIntegrationKeyOverride string
    The PagerDuty integration Key override.
    ActionPagerdutyIntegrationUrl string
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPagerdutyIntegrationUrlOverride string
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPopulateLookupCommand string
    The search command (or pipeline) which is responsible for executing the action.
    ActionPopulateLookupDest string
    Lookup name of path of the lookup to populate
    ActionPopulateLookupHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionPopulateLookupMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionPopulateLookupMaxTime int
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    ActionPopulateLookupTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionPopulateLookupTtl string
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    ActionRssCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionRssHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionRssMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionRssMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionRssTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionRssTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionScriptCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionScriptFilename string
    File name of the script to call. Required if script action is enabled
    ActionScriptHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionScriptMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionScriptMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionScriptTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionScriptTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionSlackParamAttachment string
    Include a message attachment. Valid values are message, none, or alert_link
    ActionSlackParamChannel string
    Slack channel to send the message to (Should start with # or @)
    ActionSlackParamFields string
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    ActionSlackParamMessage string
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    ActionSlackParamWebhookUrlOverride string
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    ActionSnowEventParamAccount string
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    ActionSnowEventParamAdditionalInfo string
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    ActionSnowEventParamCiIdentifier string
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    ActionSnowEventParamCustomFields string
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    ActionSnowEventParamDescription string
    A brief description of the event.
    ActionSnowEventParamNode string
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    ActionSnowEventParamResource string
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    ActionSnowEventParamSeverity int
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    ActionSnowEventParamType string
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    ActionSummaryIndexCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionSummaryIndexHostname string
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionSummaryIndexInline bool
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    ActionSummaryIndexMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionSummaryIndexMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionSummaryIndexName string
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    ActionSummaryIndexTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionSummaryIndexTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionWebhookParamUrl string
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    Actions string
    A comma-separated list of actions to enable. For example: rss,email
    AlertComparator string
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    AlertCondition string
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    AlertDigestMode bool
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    AlertExpires string
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertSeverity int
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    AlertSuppress bool
    Indicates whether alert suppression is enabled for this scheduled search.
    AlertSuppressFields string
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    AlertSuppressPeriod string
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertThreshold string
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    AlertTrack bool
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    AlertType string
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    AllowSkew string
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    AutoSummarize bool
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    AutoSummarizeCommand string
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    AutoSummarizeCronSchedule string
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    AutoSummarizeDispatchEarliestTime string
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchLatestTime string
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchTimeFormat string
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    AutoSummarizeDispatchTtl string
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    AutoSummarizeMaxDisabledBuckets int
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    AutoSummarizeMaxSummaryRatio float64
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    AutoSummarizeMaxSummarySize int
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    AutoSummarizeMaxTime int
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    AutoSummarizeSuspendPeriod string
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    AutoSummarizeTimespan string
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    CronSchedule string
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    Description string
    Human-readable description of this saved search. Defaults to empty string.
    Disabled bool
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    DispatchBuckets int
    The maximum number of timeline buckets. Defaults to 0.
    DispatchEarliestTime string
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexEarliest string
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexLatest string
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtime bool
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtimeMinspan int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchIndexedRealtimeOffset int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchLatestTime string
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchLookups bool
    Enables or disables the lookups for this search. Defaults to 1.
    DispatchMaxCount int
    The maximum number of results before finalizing the search. Defaults to 500000.
    DispatchMaxTime int
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    DispatchReduceFreq int
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    DispatchRtBackfill bool
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    DispatchRtMaximumSpan int
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    DispatchSpawnProcess bool
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    DispatchTimeFormat string
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    DispatchTtl string
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    DisplayView string
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    IsScheduled bool
    Whether this search is to be run on a schedule
    IsVisible bool
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    MaxConcurrent int
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    Name string
    A name for the search.
    RealtimeSchedule bool
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    RequestUiDispatchApp string
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    RequestUiDispatchView string
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    RestartOnSearchpeerAdd bool
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    RunOnStartup bool
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    SchedulePriority string
    Raises the scheduling priority of the named search. Defaults to Default
    ScheduleWindow string
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    Vsid string
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    WorkloadPool string
    Specifies the new workload pool where the existing running search will be placed.`
    search String
    Required when creating a new search.
    acl SavedSearchesAcl
    The app/user context that is the namespace for the resource
    actionCreateXsoarIncident String
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    actionCreateXsoarIncidentParamCustomFields String
    XSOAR custom incident fields (should be a comma separated list)
    actionCreateXsoarIncidentParamDetails String
    XSOAR incident description
    actionCreateXsoarIncidentParamIncidentName String
    XSOAR incident name
    actionCreateXsoarIncidentParamOccurred String
    XSOAR incident time
    actionCreateXsoarIncidentParamSendAllServers String
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    actionCreateXsoarIncidentParamServerUrl String
    XSOAR Server instance URL (Should start with https:// || http://)
    actionCreateXsoarIncidentParamSeverity String
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    actionCreateXsoarIncidentParamType String
    XSOAR incident type
    actionEmailAuthPassword String
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    actionEmailAuthUsername String
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    actionEmailBcc String
    BCC email address to use if action.email is enabled.
    actionEmailCc String
    CC email address to use if action.email is enabled.
    actionEmailCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionEmailFormat String
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    actionEmailFrom String
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    actionEmailHostname String
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    actionEmailIncludeResultsLink Integer
    Specify whether to include a link to the results. Defaults to 0.
    actionEmailIncludeSearch Integer
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    actionEmailIncludeTrigger Integer
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    actionEmailIncludeTriggerTime Integer
    Specify whether to show the time that the alert was fired. Defaults to 0.
    actionEmailIncludeViewLink Integer
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    actionEmailInline Boolean
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    actionEmailMailserver String
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    actionEmailMaxResults Integer
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    actionEmailMaxTime String
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    actionEmailMessageAlert String
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    actionEmailMessageReport String
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    actionEmailPdfview String
    The name of the view to deliver if sendpdf is enabled
    actionEmailPreprocessResults String
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    actionEmailReportCidFontList String
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    actionEmailReportIncludeSplunkLogo Boolean
    Indicates whether to include the Splunk logo with the report.
    actionEmailReportPaperOrientation String
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    actionEmailReportPaperSize String
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    actionEmailReportServerEnabled Boolean
    No Supported
    actionEmailReportServerUrl String
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    actionEmailSendCsv Integer
    Specify whether to send results as a CSV file. Defaults to 0.
    actionEmailSendPdf Boolean
    Indicates whether to create and send the results as a PDF. Defaults to false.
    actionEmailSendResults Boolean
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    actionEmailSubject String
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    actionEmailTo String
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    actionEmailTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionEmailTtl String
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    actionEmailUseSsl Boolean
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    actionEmailUseTls Boolean
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    actionEmailWidthSortColumns Boolean
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    actionJiraServiceDeskParamAccount String
    Jira Service Desk account name
    actionJiraServiceDeskParamJiraDescription String
    Jira issue description
    actionJiraServiceDeskParamJiraIssueType String
    Jira issue type name
    actionJiraServiceDeskParamJiraPriority String
    Jira priority of issue
    actionJiraServiceDeskParamJiraProject String
    Jira Project name
    actionJiraServiceDeskParamJiraSummary String
    Jira issue title/summary
    actionPagerdutyCustomDetails String
    The PagerDuty custom details information.
    actionPagerdutyIntegrationKey String
    The PagerDuty integration Key.
    actionPagerdutyIntegrationKeyOverride String
    The PagerDuty integration Key override.
    actionPagerdutyIntegrationUrl String
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPagerdutyIntegrationUrlOverride String
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPopulateLookupCommand String
    The search command (or pipeline) which is responsible for executing the action.
    actionPopulateLookupDest String
    Lookup name of path of the lookup to populate
    actionPopulateLookupHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionPopulateLookupMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionPopulateLookupMaxTime Integer
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    actionPopulateLookupTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionPopulateLookupTtl String
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    actionRssCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionRssHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionRssMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionRssMaxTime Integer
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionRssTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionRssTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionScriptCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionScriptFilename String
    File name of the script to call. Required if script action is enabled
    actionScriptHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionScriptMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionScriptMaxTime Integer
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionScriptTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionScriptTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionSlackParamAttachment String
    Include a message attachment. Valid values are message, none, or alert_link
    actionSlackParamChannel String
    Slack channel to send the message to (Should start with # or @)
    actionSlackParamFields String
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    actionSlackParamMessage String
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    actionSlackParamWebhookUrlOverride String
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    actionSnowEventParamAccount String
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    actionSnowEventParamAdditionalInfo String
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    actionSnowEventParamCiIdentifier String
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    actionSnowEventParamCustomFields String
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    actionSnowEventParamDescription String
    A brief description of the event.
    actionSnowEventParamNode String
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    actionSnowEventParamResource String
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    actionSnowEventParamSeverity Integer
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    actionSnowEventParamType String
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    actionSummaryIndexCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionSummaryIndexHostname String
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionSummaryIndexInline Boolean
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    actionSummaryIndexMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionSummaryIndexMaxTime Integer
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionSummaryIndexName String
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    actionSummaryIndexTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionSummaryIndexTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionWebhookParamUrl String
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    actions String
    A comma-separated list of actions to enable. For example: rss,email
    alertComparator String
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    alertCondition String
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    alertDigestMode Boolean
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    alertExpires String
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alertSeverity Integer
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    alertSuppress Boolean
    Indicates whether alert suppression is enabled for this scheduled search.
    alertSuppressFields String
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    alertSuppressPeriod String
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alertThreshold String
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    alertTrack Boolean
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    alertType String
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    allowSkew String
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    autoSummarize Boolean
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    autoSummarizeCommand String
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    autoSummarizeCronSchedule String
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    autoSummarizeDispatchEarliestTime String
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    autoSummarizeDispatchLatestTime String
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    autoSummarizeDispatchTimeFormat String
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    autoSummarizeDispatchTtl String
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    autoSummarizeMaxDisabledBuckets Integer
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    autoSummarizeMaxSummaryRatio Double
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    autoSummarizeMaxSummarySize Integer
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    autoSummarizeMaxTime Integer
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    autoSummarizeSuspendPeriod String
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    autoSummarizeTimespan String
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    cronSchedule String
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    description String
    Human-readable description of this saved search. Defaults to empty string.
    disabled Boolean
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    dispatchBuckets Integer
    The maximum number of timeline buckets. Defaults to 0.
    dispatchEarliestTime String
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexEarliest String
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexLatest String
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexedRealtime Boolean
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexedRealtimeMinspan Integer
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatchIndexedRealtimeOffset Integer
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatchLatestTime String
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchLookups Boolean
    Enables or disables the lookups for this search. Defaults to 1.
    dispatchMaxCount Integer
    The maximum number of results before finalizing the search. Defaults to 500000.
    dispatchMaxTime Integer
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    dispatchReduceFreq Integer
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    dispatchRtBackfill Boolean
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    dispatchRtMaximumSpan Integer
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    dispatchSpawnProcess Boolean
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    dispatchTimeFormat String
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    dispatchTtl String
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    displayView String
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    isScheduled Boolean
    Whether this search is to be run on a schedule
    isVisible Boolean
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    maxConcurrent Integer
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    name String
    A name for the search.
    realtimeSchedule Boolean
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    requestUiDispatchApp String
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    requestUiDispatchView String
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    restartOnSearchpeerAdd Boolean
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    runOnStartup Boolean
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    schedulePriority String
    Raises the scheduling priority of the named search. Defaults to Default
    scheduleWindow String
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    vsid String
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    workloadPool String
    Specifies the new workload pool where the existing running search will be placed.`
    search string
    Required when creating a new search.
    acl SavedSearchesAcl
    The app/user context that is the namespace for the resource
    actionCreateXsoarIncident string
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    actionCreateXsoarIncidentParamCustomFields string
    XSOAR custom incident fields (should be a comma separated list)
    actionCreateXsoarIncidentParamDetails string
    XSOAR incident description
    actionCreateXsoarIncidentParamIncidentName string
    XSOAR incident name
    actionCreateXsoarIncidentParamOccurred string
    XSOAR incident time
    actionCreateXsoarIncidentParamSendAllServers string
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    actionCreateXsoarIncidentParamServerUrl string
    XSOAR Server instance URL (Should start with https:// || http://)
    actionCreateXsoarIncidentParamSeverity string
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    actionCreateXsoarIncidentParamType string
    XSOAR incident type
    actionEmailAuthPassword string
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    actionEmailAuthUsername string
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    actionEmailBcc string
    BCC email address to use if action.email is enabled.
    actionEmailCc string
    CC email address to use if action.email is enabled.
    actionEmailCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionEmailFormat string
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    actionEmailFrom string
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    actionEmailHostname string
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    actionEmailIncludeResultsLink number
    Specify whether to include a link to the results. Defaults to 0.
    actionEmailIncludeSearch number
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    actionEmailIncludeTrigger number
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    actionEmailIncludeTriggerTime number
    Specify whether to show the time that the alert was fired. Defaults to 0.
    actionEmailIncludeViewLink number
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    actionEmailInline boolean
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    actionEmailMailserver string
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    actionEmailMaxResults number
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    actionEmailMaxTime string
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    actionEmailMessageAlert string
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    actionEmailMessageReport string
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    actionEmailPdfview string
    The name of the view to deliver if sendpdf is enabled
    actionEmailPreprocessResults string
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    actionEmailReportCidFontList string
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    actionEmailReportIncludeSplunkLogo boolean
    Indicates whether to include the Splunk logo with the report.
    actionEmailReportPaperOrientation string
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    actionEmailReportPaperSize string
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    actionEmailReportServerEnabled boolean
    No Supported
    actionEmailReportServerUrl string
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    actionEmailSendCsv number
    Specify whether to send results as a CSV file. Defaults to 0.
    actionEmailSendPdf boolean
    Indicates whether to create and send the results as a PDF. Defaults to false.
    actionEmailSendResults boolean
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    actionEmailSubject string
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    actionEmailTo string
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    actionEmailTrackAlert boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionEmailTtl string
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    actionEmailUseSsl boolean
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    actionEmailUseTls boolean
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    actionEmailWidthSortColumns boolean
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    actionJiraServiceDeskParamAccount string
    Jira Service Desk account name
    actionJiraServiceDeskParamJiraDescription string
    Jira issue description
    actionJiraServiceDeskParamJiraIssueType string
    Jira issue type name
    actionJiraServiceDeskParamJiraPriority string
    Jira priority of issue
    actionJiraServiceDeskParamJiraProject string
    Jira Project name
    actionJiraServiceDeskParamJiraSummary string
    Jira issue title/summary
    actionPagerdutyCustomDetails string
    The PagerDuty custom details information.
    actionPagerdutyIntegrationKey string
    The PagerDuty integration Key.
    actionPagerdutyIntegrationKeyOverride string
    The PagerDuty integration Key override.
    actionPagerdutyIntegrationUrl string
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPagerdutyIntegrationUrlOverride string
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPopulateLookupCommand string
    The search command (or pipeline) which is responsible for executing the action.
    actionPopulateLookupDest string
    Lookup name of path of the lookup to populate
    actionPopulateLookupHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionPopulateLookupMaxResults number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionPopulateLookupMaxTime number
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    actionPopulateLookupTrackAlert boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionPopulateLookupTtl string
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    actionRssCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionRssHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionRssMaxResults number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionRssMaxTime number
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionRssTrackAlert boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionRssTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionScriptCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionScriptFilename string
    File name of the script to call. Required if script action is enabled
    actionScriptHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionScriptMaxResults number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionScriptMaxTime number
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionScriptTrackAlert boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionScriptTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionSlackParamAttachment string
    Include a message attachment. Valid values are message, none, or alert_link
    actionSlackParamChannel string
    Slack channel to send the message to (Should start with # or @)
    actionSlackParamFields string
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    actionSlackParamMessage string
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    actionSlackParamWebhookUrlOverride string
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    actionSnowEventParamAccount string
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    actionSnowEventParamAdditionalInfo string
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    actionSnowEventParamCiIdentifier string
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    actionSnowEventParamCustomFields string
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    actionSnowEventParamDescription string
    A brief description of the event.
    actionSnowEventParamNode string
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    actionSnowEventParamResource string
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    actionSnowEventParamSeverity number
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    actionSnowEventParamType string
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    actionSummaryIndexCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionSummaryIndexHostname string
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionSummaryIndexInline boolean
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    actionSummaryIndexMaxResults number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionSummaryIndexMaxTime number
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionSummaryIndexName string
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    actionSummaryIndexTrackAlert boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionSummaryIndexTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionWebhookParamUrl string
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    actions string
    A comma-separated list of actions to enable. For example: rss,email
    alertComparator string
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    alertCondition string
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    alertDigestMode boolean
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    alertExpires string
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alertSeverity number
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    alertSuppress boolean
    Indicates whether alert suppression is enabled for this scheduled search.
    alertSuppressFields string
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    alertSuppressPeriod string
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alertThreshold string
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    alertTrack boolean
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    alertType string
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    allowSkew string
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    autoSummarize boolean
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    autoSummarizeCommand string
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    autoSummarizeCronSchedule string
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    autoSummarizeDispatchEarliestTime string
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    autoSummarizeDispatchLatestTime string
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    autoSummarizeDispatchTimeFormat string
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    autoSummarizeDispatchTtl string
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    autoSummarizeMaxDisabledBuckets number
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    autoSummarizeMaxSummaryRatio number
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    autoSummarizeMaxSummarySize number
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    autoSummarizeMaxTime number
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    autoSummarizeSuspendPeriod string
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    autoSummarizeTimespan string
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    cronSchedule string
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    description string
    Human-readable description of this saved search. Defaults to empty string.
    disabled boolean
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    dispatchBuckets number
    The maximum number of timeline buckets. Defaults to 0.
    dispatchEarliestTime string
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexEarliest string
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexLatest string
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexedRealtime boolean
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexedRealtimeMinspan number
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatchIndexedRealtimeOffset number
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatchLatestTime string
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchLookups boolean
    Enables or disables the lookups for this search. Defaults to 1.
    dispatchMaxCount number
    The maximum number of results before finalizing the search. Defaults to 500000.
    dispatchMaxTime number
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    dispatchReduceFreq number
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    dispatchRtBackfill boolean
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    dispatchRtMaximumSpan number
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    dispatchSpawnProcess boolean
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    dispatchTimeFormat string
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    dispatchTtl string
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    displayView string
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    isScheduled boolean
    Whether this search is to be run on a schedule
    isVisible boolean
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    maxConcurrent number
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    name string
    A name for the search.
    realtimeSchedule boolean
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    requestUiDispatchApp string
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    requestUiDispatchView string
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    restartOnSearchpeerAdd boolean
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    runOnStartup boolean
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    schedulePriority string
    Raises the scheduling priority of the named search. Defaults to Default
    scheduleWindow string
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    vsid string
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    workloadPool string
    Specifies the new workload pool where the existing running search will be placed.`
    search str
    Required when creating a new search.
    acl SavedSearchesAclArgs
    The app/user context that is the namespace for the resource
    action_create_xsoar_incident str
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    action_create_xsoar_incident_param_custom_fields str
    XSOAR custom incident fields (should be a comma separated list)
    action_create_xsoar_incident_param_details str
    XSOAR incident description
    action_create_xsoar_incident_param_incident_name str
    XSOAR incident name
    action_create_xsoar_incident_param_occurred str
    XSOAR incident time
    action_create_xsoar_incident_param_send_all_servers str
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    action_create_xsoar_incident_param_server_url str
    XSOAR Server instance URL (Should start with https:// || http://)
    action_create_xsoar_incident_param_severity str
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    action_create_xsoar_incident_param_type str
    XSOAR incident type
    action_email_auth_password str
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    action_email_auth_username str
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    action_email_bcc str
    BCC email address to use if action.email is enabled.
    action_email_cc str
    CC email address to use if action.email is enabled.
    action_email_command str
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    action_email_format str
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    action_email_from str
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    action_email_hostname str
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    action_email_include_results_link int
    Specify whether to include a link to the results. Defaults to 0.
    action_email_include_search int
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    action_email_include_trigger int
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    action_email_include_trigger_time int
    Specify whether to show the time that the alert was fired. Defaults to 0.
    action_email_include_view_link int
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    action_email_inline bool
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    action_email_mailserver str
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    action_email_max_results int
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    action_email_max_time str
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    action_email_message_alert str
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    action_email_message_report str
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    action_email_pdfview str
    The name of the view to deliver if sendpdf is enabled
    action_email_preprocess_results str
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    action_email_report_cid_font_list str
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    action_email_report_include_splunk_logo bool
    Indicates whether to include the Splunk logo with the report.
    action_email_report_paper_orientation str
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    action_email_report_paper_size str
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    action_email_report_server_enabled bool
    No Supported
    action_email_report_server_url str
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    action_email_send_csv int
    Specify whether to send results as a CSV file. Defaults to 0.
    action_email_send_pdf bool
    Indicates whether to create and send the results as a PDF. Defaults to false.
    action_email_send_results bool
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    action_email_subject str
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    action_email_to str
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    action_email_track_alert bool
    Indicates whether the execution of this action signifies a trackable alert.
    action_email_ttl str
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    action_email_use_ssl bool
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    action_email_use_tls bool
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    action_email_width_sort_columns bool
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    action_jira_service_desk_param_account str
    Jira Service Desk account name
    action_jira_service_desk_param_jira_description str
    Jira issue description
    action_jira_service_desk_param_jira_issue_type str
    Jira issue type name
    action_jira_service_desk_param_jira_priority str
    Jira priority of issue
    action_jira_service_desk_param_jira_project str
    Jira Project name
    action_jira_service_desk_param_jira_summary str
    Jira issue title/summary
    action_pagerduty_custom_details str
    The PagerDuty custom details information.
    action_pagerduty_integration_key str
    The PagerDuty integration Key.
    action_pagerduty_integration_key_override str
    The PagerDuty integration Key override.
    action_pagerduty_integration_url str
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    action_pagerduty_integration_url_override str
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    action_populate_lookup_command str
    The search command (or pipeline) which is responsible for executing the action.
    action_populate_lookup_dest str
    Lookup name of path of the lookup to populate
    action_populate_lookup_hostname str
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    action_populate_lookup_max_results int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    action_populate_lookup_max_time int
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    action_populate_lookup_track_alert bool
    Indicates whether the execution of this action signifies a trackable alert.
    action_populate_lookup_ttl str
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    action_rss_command str
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    action_rss_hostname str
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    action_rss_max_results int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    action_rss_max_time int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    action_rss_track_alert bool
    Indicates whether the execution of this action signifies a trackable alert.
    action_rss_ttl str
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    action_script_command str
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    action_script_filename str
    File name of the script to call. Required if script action is enabled
    action_script_hostname str
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    action_script_max_results int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    action_script_max_time int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    action_script_track_alert bool
    Indicates whether the execution of this action signifies a trackable alert.
    action_script_ttl str
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    action_slack_param_attachment str
    Include a message attachment. Valid values are message, none, or alert_link
    action_slack_param_channel str
    Slack channel to send the message to (Should start with # or @)
    action_slack_param_fields str
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    action_slack_param_message str
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    action_slack_param_webhook_url_override str
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    action_snow_event_param_account str
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    action_snow_event_param_additional_info str
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    action_snow_event_param_ci_identifier str
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    action_snow_event_param_custom_fields str
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    action_snow_event_param_description str
    A brief description of the event.
    action_snow_event_param_node str
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    action_snow_event_param_resource str
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    action_snow_event_param_severity int
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    action_snow_event_param_type str
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    action_summary_index_command str
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    action_summary_index_hostname str
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    action_summary_index_inline bool
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    action_summary_index_max_results int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    action_summary_index_max_time int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    action_summary_index_name str
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    action_summary_index_track_alert bool
    Indicates whether the execution of this action signifies a trackable alert.
    action_summary_index_ttl str
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    action_webhook_param_url str
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    actions str
    A comma-separated list of actions to enable. For example: rss,email
    alert_comparator str
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    alert_condition str
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    alert_digest_mode bool
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    alert_expires str
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alert_severity int
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    alert_suppress bool
    Indicates whether alert suppression is enabled for this scheduled search.
    alert_suppress_fields str
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    alert_suppress_period str
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alert_threshold str
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    alert_track bool
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    alert_type str
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    allow_skew str
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    auto_summarize bool
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    auto_summarize_command str
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    auto_summarize_cron_schedule str
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    auto_summarize_dispatch_earliest_time str
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    auto_summarize_dispatch_latest_time str
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    auto_summarize_dispatch_time_format str
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    auto_summarize_dispatch_ttl str
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    auto_summarize_max_disabled_buckets int
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    auto_summarize_max_summary_ratio float
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    auto_summarize_max_summary_size int
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    auto_summarize_max_time int
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    auto_summarize_suspend_period str
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    auto_summarize_timespan str
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    cron_schedule str
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    description str
    Human-readable description of this saved search. Defaults to empty string.
    disabled bool
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    dispatch_buckets int
    The maximum number of timeline buckets. Defaults to 0.
    dispatch_earliest_time str
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatch_index_earliest str
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatch_index_latest str
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatch_indexed_realtime bool
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatch_indexed_realtime_minspan int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatch_indexed_realtime_offset int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatch_latest_time str
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatch_lookups bool
    Enables or disables the lookups for this search. Defaults to 1.
    dispatch_max_count int
    The maximum number of results before finalizing the search. Defaults to 500000.
    dispatch_max_time int
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    dispatch_reduce_freq int
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    dispatch_rt_backfill bool
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    dispatch_rt_maximum_span int
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    dispatch_spawn_process bool
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    dispatch_time_format str
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    dispatch_ttl str
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    display_view str
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    is_scheduled bool
    Whether this search is to be run on a schedule
    is_visible bool
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    max_concurrent int
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    name str
    A name for the search.
    realtime_schedule bool
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    request_ui_dispatch_app str
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    request_ui_dispatch_view str
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    restart_on_searchpeer_add bool
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    run_on_startup bool
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    schedule_priority str
    Raises the scheduling priority of the named search. Defaults to Default
    schedule_window str
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    vsid str
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    workload_pool str
    Specifies the new workload pool where the existing running search will be placed.`
    search String
    Required when creating a new search.
    acl Property Map
    The app/user context that is the namespace for the resource
    actionCreateXsoarIncident String
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    actionCreateXsoarIncidentParamCustomFields String
    XSOAR custom incident fields (should be a comma separated list)
    actionCreateXsoarIncidentParamDetails String
    XSOAR incident description
    actionCreateXsoarIncidentParamIncidentName String
    XSOAR incident name
    actionCreateXsoarIncidentParamOccurred String
    XSOAR incident time
    actionCreateXsoarIncidentParamSendAllServers String
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    actionCreateXsoarIncidentParamServerUrl String
    XSOAR Server instance URL (Should start with https:// || http://)
    actionCreateXsoarIncidentParamSeverity String
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    actionCreateXsoarIncidentParamType String
    XSOAR incident type
    actionEmailAuthPassword String
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    actionEmailAuthUsername String
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    actionEmailBcc String
    BCC email address to use if action.email is enabled.
    actionEmailCc String
    CC email address to use if action.email is enabled.
    actionEmailCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionEmailFormat String
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    actionEmailFrom String
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    actionEmailHostname String
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    actionEmailIncludeResultsLink Number
    Specify whether to include a link to the results. Defaults to 0.
    actionEmailIncludeSearch Number
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    actionEmailIncludeTrigger Number
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    actionEmailIncludeTriggerTime Number
    Specify whether to show the time that the alert was fired. Defaults to 0.
    actionEmailIncludeViewLink Number
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    actionEmailInline Boolean
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    actionEmailMailserver String
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    actionEmailMaxResults Number
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    actionEmailMaxTime String
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    actionEmailMessageAlert String
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    actionEmailMessageReport String
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    actionEmailPdfview String
    The name of the view to deliver if sendpdf is enabled
    actionEmailPreprocessResults String
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    actionEmailReportCidFontList String
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    actionEmailReportIncludeSplunkLogo Boolean
    Indicates whether to include the Splunk logo with the report.
    actionEmailReportPaperOrientation String
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    actionEmailReportPaperSize String
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    actionEmailReportServerEnabled Boolean
    No Supported
    actionEmailReportServerUrl String
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    actionEmailSendCsv Number
    Specify whether to send results as a CSV file. Defaults to 0.
    actionEmailSendPdf Boolean
    Indicates whether to create and send the results as a PDF. Defaults to false.
    actionEmailSendResults Boolean
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    actionEmailSubject String
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    actionEmailTo String
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    actionEmailTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionEmailTtl String
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    actionEmailUseSsl Boolean
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    actionEmailUseTls Boolean
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    actionEmailWidthSortColumns Boolean
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    actionJiraServiceDeskParamAccount String
    Jira Service Desk account name
    actionJiraServiceDeskParamJiraDescription String
    Jira issue description
    actionJiraServiceDeskParamJiraIssueType String
    Jira issue type name
    actionJiraServiceDeskParamJiraPriority String
    Jira priority of issue
    actionJiraServiceDeskParamJiraProject String
    Jira Project name
    actionJiraServiceDeskParamJiraSummary String
    Jira issue title/summary
    actionPagerdutyCustomDetails String
    The PagerDuty custom details information.
    actionPagerdutyIntegrationKey String
    The PagerDuty integration Key.
    actionPagerdutyIntegrationKeyOverride String
    The PagerDuty integration Key override.
    actionPagerdutyIntegrationUrl String
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPagerdutyIntegrationUrlOverride String
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPopulateLookupCommand String
    The search command (or pipeline) which is responsible for executing the action.
    actionPopulateLookupDest String
    Lookup name of path of the lookup to populate
    actionPopulateLookupHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionPopulateLookupMaxResults Number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionPopulateLookupMaxTime Number
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    actionPopulateLookupTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionPopulateLookupTtl String
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    actionRssCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionRssHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionRssMaxResults Number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionRssMaxTime Number
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionRssTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionRssTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionScriptCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionScriptFilename String
    File name of the script to call. Required if script action is enabled
    actionScriptHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionScriptMaxResults Number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionScriptMaxTime Number
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionScriptTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionScriptTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionSlackParamAttachment String
    Include a message attachment. Valid values are message, none, or alert_link
    actionSlackParamChannel String
    Slack channel to send the message to (Should start with # or @)
    actionSlackParamFields String
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    actionSlackParamMessage String
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    actionSlackParamWebhookUrlOverride String
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    actionSnowEventParamAccount String
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    actionSnowEventParamAdditionalInfo String
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    actionSnowEventParamCiIdentifier String
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    actionSnowEventParamCustomFields String
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    actionSnowEventParamDescription String
    A brief description of the event.
    actionSnowEventParamNode String
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    actionSnowEventParamResource String
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    actionSnowEventParamSeverity Number
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    actionSnowEventParamType String
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    actionSummaryIndexCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionSummaryIndexHostname String
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionSummaryIndexInline Boolean
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    actionSummaryIndexMaxResults Number
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionSummaryIndexMaxTime Number
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionSummaryIndexName String
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    actionSummaryIndexTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionSummaryIndexTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionWebhookParamUrl String
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    actions String
    A comma-separated list of actions to enable. For example: rss,email
    alertComparator String
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    alertCondition String
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    alertDigestMode Boolean
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    alertExpires String
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alertSeverity Number
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    alertSuppress Boolean
    Indicates whether alert suppression is enabled for this scheduled search.
    alertSuppressFields String
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    alertSuppressPeriod String
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    alertThreshold String
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    alertTrack Boolean
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    alertType String
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    allowSkew String
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    autoSummarize Boolean
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    autoSummarizeCommand String
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    autoSummarizeCronSchedule String
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    autoSummarizeDispatchEarliestTime String
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    autoSummarizeDispatchLatestTime String
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    autoSummarizeDispatchTimeFormat String
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    autoSummarizeDispatchTtl String
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    autoSummarizeMaxDisabledBuckets Number
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    autoSummarizeMaxSummaryRatio Number
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    autoSummarizeMaxSummarySize Number
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    autoSummarizeMaxTime Number
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    autoSummarizeSuspendPeriod String
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    autoSummarizeTimespan String
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    cronSchedule String
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    description String
    Human-readable description of this saved search. Defaults to empty string.
    disabled Boolean
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    dispatchBuckets Number
    The maximum number of timeline buckets. Defaults to 0.
    dispatchEarliestTime String
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexEarliest String
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexLatest String
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexedRealtime Boolean
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchIndexedRealtimeMinspan Number
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatchIndexedRealtimeOffset Number
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    dispatchLatestTime String
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    dispatchLookups Boolean
    Enables or disables the lookups for this search. Defaults to 1.
    dispatchMaxCount Number
    The maximum number of results before finalizing the search. Defaults to 500000.
    dispatchMaxTime Number
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    dispatchReduceFreq Number
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    dispatchRtBackfill Boolean
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    dispatchRtMaximumSpan Number
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    dispatchSpawnProcess Boolean
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    dispatchTimeFormat String
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    dispatchTtl String
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    displayView String
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    isScheduled Boolean
    Whether this search is to be run on a schedule
    isVisible Boolean
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    maxConcurrent Number
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    name String
    A name for the search.
    realtimeSchedule Boolean
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    requestUiDispatchApp String
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    requestUiDispatchView String
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    restartOnSearchpeerAdd Boolean
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    runOnStartup Boolean
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    schedulePriority String
    Raises the scheduling priority of the named search. Defaults to Default
    scheduleWindow String
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    vsid String
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    workloadPool String
    Specifies the new workload pool where the existing running search will be placed.`

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SavedSearches resource produces the following output properties:

    ActionEmail bool
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionPopulateLookup bool
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionRss bool
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    ActionScript bool
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionSummaryIndex bool
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    Id string
    The provider-assigned unique ID for this managed resource.
    ActionEmail bool
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionPopulateLookup bool
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionRss bool
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    ActionScript bool
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionSummaryIndex bool
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    Id string
    The provider-assigned unique ID for this managed resource.
    actionEmail Boolean
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionPopulateLookup Boolean
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionRss Boolean
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    actionScript Boolean
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionSummaryIndex Boolean
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    id String
    The provider-assigned unique ID for this managed resource.
    actionEmail boolean
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionPopulateLookup boolean
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionRss boolean
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    actionScript boolean
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionSummaryIndex boolean
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    id string
    The provider-assigned unique ID for this managed resource.
    action_email bool
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    action_populate_lookup bool
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    action_rss bool
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    action_script bool
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    action_summary_index bool
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    id str
    The provider-assigned unique ID for this managed resource.
    actionEmail Boolean
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionPopulateLookup Boolean
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionRss Boolean
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    actionScript Boolean
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionSummaryIndex Boolean
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SavedSearches Resource

    Get an existing SavedSearches resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SavedSearchesState, opts?: CustomResourceOptions): SavedSearches
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            acl: Optional[SavedSearchesAclArgs] = None,
            action_create_xsoar_incident: Optional[str] = None,
            action_create_xsoar_incident_param_custom_fields: Optional[str] = None,
            action_create_xsoar_incident_param_details: Optional[str] = None,
            action_create_xsoar_incident_param_incident_name: Optional[str] = None,
            action_create_xsoar_incident_param_occurred: Optional[str] = None,
            action_create_xsoar_incident_param_send_all_servers: Optional[str] = None,
            action_create_xsoar_incident_param_server_url: Optional[str] = None,
            action_create_xsoar_incident_param_severity: Optional[str] = None,
            action_create_xsoar_incident_param_type: Optional[str] = None,
            action_email: Optional[bool] = None,
            action_email_auth_password: Optional[str] = None,
            action_email_auth_username: Optional[str] = None,
            action_email_bcc: Optional[str] = None,
            action_email_cc: Optional[str] = None,
            action_email_command: Optional[str] = None,
            action_email_format: Optional[str] = None,
            action_email_from: Optional[str] = None,
            action_email_hostname: Optional[str] = None,
            action_email_include_results_link: Optional[int] = None,
            action_email_include_search: Optional[int] = None,
            action_email_include_trigger: Optional[int] = None,
            action_email_include_trigger_time: Optional[int] = None,
            action_email_include_view_link: Optional[int] = None,
            action_email_inline: Optional[bool] = None,
            action_email_mailserver: Optional[str] = None,
            action_email_max_results: Optional[int] = None,
            action_email_max_time: Optional[str] = None,
            action_email_message_alert: Optional[str] = None,
            action_email_message_report: Optional[str] = None,
            action_email_pdfview: Optional[str] = None,
            action_email_preprocess_results: Optional[str] = None,
            action_email_report_cid_font_list: Optional[str] = None,
            action_email_report_include_splunk_logo: Optional[bool] = None,
            action_email_report_paper_orientation: Optional[str] = None,
            action_email_report_paper_size: Optional[str] = None,
            action_email_report_server_enabled: Optional[bool] = None,
            action_email_report_server_url: Optional[str] = None,
            action_email_send_csv: Optional[int] = None,
            action_email_send_pdf: Optional[bool] = None,
            action_email_send_results: Optional[bool] = None,
            action_email_subject: Optional[str] = None,
            action_email_to: Optional[str] = None,
            action_email_track_alert: Optional[bool] = None,
            action_email_ttl: Optional[str] = None,
            action_email_use_ssl: Optional[bool] = None,
            action_email_use_tls: Optional[bool] = None,
            action_email_width_sort_columns: Optional[bool] = None,
            action_jira_service_desk_param_account: Optional[str] = None,
            action_jira_service_desk_param_jira_description: Optional[str] = None,
            action_jira_service_desk_param_jira_issue_type: Optional[str] = None,
            action_jira_service_desk_param_jira_priority: Optional[str] = None,
            action_jira_service_desk_param_jira_project: Optional[str] = None,
            action_jira_service_desk_param_jira_summary: Optional[str] = None,
            action_pagerduty_custom_details: Optional[str] = None,
            action_pagerduty_integration_key: Optional[str] = None,
            action_pagerduty_integration_key_override: Optional[str] = None,
            action_pagerduty_integration_url: Optional[str] = None,
            action_pagerduty_integration_url_override: Optional[str] = None,
            action_populate_lookup: Optional[bool] = None,
            action_populate_lookup_command: Optional[str] = None,
            action_populate_lookup_dest: Optional[str] = None,
            action_populate_lookup_hostname: Optional[str] = None,
            action_populate_lookup_max_results: Optional[int] = None,
            action_populate_lookup_max_time: Optional[int] = None,
            action_populate_lookup_track_alert: Optional[bool] = None,
            action_populate_lookup_ttl: Optional[str] = None,
            action_rss: Optional[bool] = None,
            action_rss_command: Optional[str] = None,
            action_rss_hostname: Optional[str] = None,
            action_rss_max_results: Optional[int] = None,
            action_rss_max_time: Optional[int] = None,
            action_rss_track_alert: Optional[bool] = None,
            action_rss_ttl: Optional[str] = None,
            action_script: Optional[bool] = None,
            action_script_command: Optional[str] = None,
            action_script_filename: Optional[str] = None,
            action_script_hostname: Optional[str] = None,
            action_script_max_results: Optional[int] = None,
            action_script_max_time: Optional[int] = None,
            action_script_track_alert: Optional[bool] = None,
            action_script_ttl: Optional[str] = None,
            action_slack_param_attachment: Optional[str] = None,
            action_slack_param_channel: Optional[str] = None,
            action_slack_param_fields: Optional[str] = None,
            action_slack_param_message: Optional[str] = None,
            action_slack_param_webhook_url_override: Optional[str] = None,
            action_snow_event_param_account: Optional[str] = None,
            action_snow_event_param_additional_info: Optional[str] = None,
            action_snow_event_param_ci_identifier: Optional[str] = None,
            action_snow_event_param_custom_fields: Optional[str] = None,
            action_snow_event_param_description: Optional[str] = None,
            action_snow_event_param_node: Optional[str] = None,
            action_snow_event_param_resource: Optional[str] = None,
            action_snow_event_param_severity: Optional[int] = None,
            action_snow_event_param_type: Optional[str] = None,
            action_summary_index: Optional[bool] = None,
            action_summary_index_command: Optional[str] = None,
            action_summary_index_hostname: Optional[str] = None,
            action_summary_index_inline: Optional[bool] = None,
            action_summary_index_max_results: Optional[int] = None,
            action_summary_index_max_time: Optional[int] = None,
            action_summary_index_name: Optional[str] = None,
            action_summary_index_track_alert: Optional[bool] = None,
            action_summary_index_ttl: Optional[str] = None,
            action_webhook_param_url: Optional[str] = None,
            actions: Optional[str] = None,
            alert_comparator: Optional[str] = None,
            alert_condition: Optional[str] = None,
            alert_digest_mode: Optional[bool] = None,
            alert_expires: Optional[str] = None,
            alert_severity: Optional[int] = None,
            alert_suppress: Optional[bool] = None,
            alert_suppress_fields: Optional[str] = None,
            alert_suppress_period: Optional[str] = None,
            alert_threshold: Optional[str] = None,
            alert_track: Optional[bool] = None,
            alert_type: Optional[str] = None,
            allow_skew: Optional[str] = None,
            auto_summarize: Optional[bool] = None,
            auto_summarize_command: Optional[str] = None,
            auto_summarize_cron_schedule: Optional[str] = None,
            auto_summarize_dispatch_earliest_time: Optional[str] = None,
            auto_summarize_dispatch_latest_time: Optional[str] = None,
            auto_summarize_dispatch_time_format: Optional[str] = None,
            auto_summarize_dispatch_ttl: Optional[str] = None,
            auto_summarize_max_disabled_buckets: Optional[int] = None,
            auto_summarize_max_summary_ratio: Optional[float] = None,
            auto_summarize_max_summary_size: Optional[int] = None,
            auto_summarize_max_time: Optional[int] = None,
            auto_summarize_suspend_period: Optional[str] = None,
            auto_summarize_timespan: Optional[str] = None,
            cron_schedule: Optional[str] = None,
            description: Optional[str] = None,
            disabled: Optional[bool] = None,
            dispatch_buckets: Optional[int] = None,
            dispatch_earliest_time: Optional[str] = None,
            dispatch_index_earliest: Optional[str] = None,
            dispatch_index_latest: Optional[str] = None,
            dispatch_indexed_realtime: Optional[bool] = None,
            dispatch_indexed_realtime_minspan: Optional[int] = None,
            dispatch_indexed_realtime_offset: Optional[int] = None,
            dispatch_latest_time: Optional[str] = None,
            dispatch_lookups: Optional[bool] = None,
            dispatch_max_count: Optional[int] = None,
            dispatch_max_time: Optional[int] = None,
            dispatch_reduce_freq: Optional[int] = None,
            dispatch_rt_backfill: Optional[bool] = None,
            dispatch_rt_maximum_span: Optional[int] = None,
            dispatch_spawn_process: Optional[bool] = None,
            dispatch_time_format: Optional[str] = None,
            dispatch_ttl: Optional[str] = None,
            display_view: Optional[str] = None,
            is_scheduled: Optional[bool] = None,
            is_visible: Optional[bool] = None,
            max_concurrent: Optional[int] = None,
            name: Optional[str] = None,
            realtime_schedule: Optional[bool] = None,
            request_ui_dispatch_app: Optional[str] = None,
            request_ui_dispatch_view: Optional[str] = None,
            restart_on_searchpeer_add: Optional[bool] = None,
            run_on_startup: Optional[bool] = None,
            schedule_priority: Optional[str] = None,
            schedule_window: Optional[str] = None,
            search: Optional[str] = None,
            vsid: Optional[str] = None,
            workload_pool: Optional[str] = None) -> SavedSearches
    func GetSavedSearches(ctx *Context, name string, id IDInput, state *SavedSearchesState, opts ...ResourceOption) (*SavedSearches, error)
    public static SavedSearches Get(string name, Input<string> id, SavedSearchesState? state, CustomResourceOptions? opts = null)
    public static SavedSearches get(String name, Output<String> id, SavedSearchesState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Acl SavedSearchesAcl
    The app/user context that is the namespace for the resource
    ActionCreateXsoarIncident string
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    ActionCreateXsoarIncidentParamCustomFields string
    XSOAR custom incident fields (should be a comma separated list)
    ActionCreateXsoarIncidentParamDetails string
    XSOAR incident description
    ActionCreateXsoarIncidentParamIncidentName string
    XSOAR incident name
    ActionCreateXsoarIncidentParamOccurred string
    XSOAR incident time
    ActionCreateXsoarIncidentParamSendAllServers string
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    ActionCreateXsoarIncidentParamServerUrl string
    XSOAR Server instance URL (Should start with https:// || http://)
    ActionCreateXsoarIncidentParamSeverity string
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    ActionCreateXsoarIncidentParamType string
    XSOAR incident type
    ActionEmail bool
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionEmailAuthPassword string
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    ActionEmailAuthUsername string
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    ActionEmailBcc string
    BCC email address to use if action.email is enabled.
    ActionEmailCc string
    CC email address to use if action.email is enabled.
    ActionEmailCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionEmailFormat string
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    ActionEmailFrom string
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    ActionEmailHostname string
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    ActionEmailIncludeResultsLink int
    Specify whether to include a link to the results. Defaults to 0.
    ActionEmailIncludeSearch int
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    ActionEmailIncludeTrigger int
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    ActionEmailIncludeTriggerTime int
    Specify whether to show the time that the alert was fired. Defaults to 0.
    ActionEmailIncludeViewLink int
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    ActionEmailInline bool
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    ActionEmailMailserver string
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    ActionEmailMaxResults int
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    ActionEmailMaxTime string
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    ActionEmailMessageAlert string
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    ActionEmailMessageReport string
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    ActionEmailPdfview string
    The name of the view to deliver if sendpdf is enabled
    ActionEmailPreprocessResults string
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    ActionEmailReportCidFontList string
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    ActionEmailReportIncludeSplunkLogo bool
    Indicates whether to include the Splunk logo with the report.
    ActionEmailReportPaperOrientation string
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    ActionEmailReportPaperSize string
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    ActionEmailReportServerEnabled bool
    No Supported
    ActionEmailReportServerUrl string
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    ActionEmailSendCsv int
    Specify whether to send results as a CSV file. Defaults to 0.
    ActionEmailSendPdf bool
    Indicates whether to create and send the results as a PDF. Defaults to false.
    ActionEmailSendResults bool
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    ActionEmailSubject string
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    ActionEmailTo string
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    ActionEmailTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionEmailTtl string
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    ActionEmailUseSsl bool
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    ActionEmailUseTls bool
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    ActionEmailWidthSortColumns bool
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    ActionJiraServiceDeskParamAccount string
    Jira Service Desk account name
    ActionJiraServiceDeskParamJiraDescription string
    Jira issue description
    ActionJiraServiceDeskParamJiraIssueType string
    Jira issue type name
    ActionJiraServiceDeskParamJiraPriority string
    Jira priority of issue
    ActionJiraServiceDeskParamJiraProject string
    Jira Project name
    ActionJiraServiceDeskParamJiraSummary string
    Jira issue title/summary
    ActionPagerdutyCustomDetails string
    The PagerDuty custom details information.
    ActionPagerdutyIntegrationKey string
    The PagerDuty integration Key.
    ActionPagerdutyIntegrationKeyOverride string
    The PagerDuty integration Key override.
    ActionPagerdutyIntegrationUrl string
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPagerdutyIntegrationUrlOverride string
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPopulateLookup bool
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionPopulateLookupCommand string
    The search command (or pipeline) which is responsible for executing the action.
    ActionPopulateLookupDest string
    Lookup name of path of the lookup to populate
    ActionPopulateLookupHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionPopulateLookupMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionPopulateLookupMaxTime int
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    ActionPopulateLookupTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionPopulateLookupTtl string
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    ActionRss bool
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    ActionRssCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionRssHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionRssMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionRssMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionRssTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionRssTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionScript bool
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionScriptCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionScriptFilename string
    File name of the script to call. Required if script action is enabled
    ActionScriptHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionScriptMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionScriptMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionScriptTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionScriptTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionSlackParamAttachment string
    Include a message attachment. Valid values are message, none, or alert_link
    ActionSlackParamChannel string
    Slack channel to send the message to (Should start with # or @)
    ActionSlackParamFields string
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    ActionSlackParamMessage string
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    ActionSlackParamWebhookUrlOverride string
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    ActionSnowEventParamAccount string
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    ActionSnowEventParamAdditionalInfo string
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    ActionSnowEventParamCiIdentifier string
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    ActionSnowEventParamCustomFields string
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    ActionSnowEventParamDescription string
    A brief description of the event.
    ActionSnowEventParamNode string
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    ActionSnowEventParamResource string
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    ActionSnowEventParamSeverity int
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    ActionSnowEventParamType string
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    ActionSummaryIndex bool
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionSummaryIndexCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionSummaryIndexHostname string
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionSummaryIndexInline bool
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    ActionSummaryIndexMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionSummaryIndexMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionSummaryIndexName string
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    ActionSummaryIndexTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionSummaryIndexTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionWebhookParamUrl string
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    Actions string
    A comma-separated list of actions to enable. For example: rss,email
    AlertComparator string
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    AlertCondition string
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    AlertDigestMode bool
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    AlertExpires string
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertSeverity int
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    AlertSuppress bool
    Indicates whether alert suppression is enabled for this scheduled search.
    AlertSuppressFields string
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    AlertSuppressPeriod string
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertThreshold string
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    AlertTrack bool
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    AlertType string
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    AllowSkew string
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    AutoSummarize bool
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    AutoSummarizeCommand string
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    AutoSummarizeCronSchedule string
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    AutoSummarizeDispatchEarliestTime string
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchLatestTime string
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchTimeFormat string
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    AutoSummarizeDispatchTtl string
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    AutoSummarizeMaxDisabledBuckets int
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    AutoSummarizeMaxSummaryRatio double
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    AutoSummarizeMaxSummarySize int
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    AutoSummarizeMaxTime int
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    AutoSummarizeSuspendPeriod string
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    AutoSummarizeTimespan string
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    CronSchedule string
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    Description string
    Human-readable description of this saved search. Defaults to empty string.
    Disabled bool
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    DispatchBuckets int
    The maximum number of timeline buckets. Defaults to 0.
    DispatchEarliestTime string
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexEarliest string
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexLatest string
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtime bool
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtimeMinspan int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchIndexedRealtimeOffset int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchLatestTime string
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchLookups bool
    Enables or disables the lookups for this search. Defaults to 1.
    DispatchMaxCount int
    The maximum number of results before finalizing the search. Defaults to 500000.
    DispatchMaxTime int
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    DispatchReduceFreq int
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    DispatchRtBackfill bool
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    DispatchRtMaximumSpan int
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    DispatchSpawnProcess bool
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    DispatchTimeFormat string
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    DispatchTtl string
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    DisplayView string
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    IsScheduled bool
    Whether this search is to be run on a schedule
    IsVisible bool
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    MaxConcurrent int
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    Name string
    A name for the search.
    RealtimeSchedule bool
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    RequestUiDispatchApp string
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    RequestUiDispatchView string
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    RestartOnSearchpeerAdd bool
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    RunOnStartup bool
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    SchedulePriority string
    Raises the scheduling priority of the named search. Defaults to Default
    ScheduleWindow string
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    Search string
    Required when creating a new search.
    Vsid string
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    WorkloadPool string
    Specifies the new workload pool where the existing running search will be placed.`
    Acl SavedSearchesAclArgs
    The app/user context that is the namespace for the resource
    ActionCreateXsoarIncident string
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    ActionCreateXsoarIncidentParamCustomFields string
    XSOAR custom incident fields (should be a comma separated list)
    ActionCreateXsoarIncidentParamDetails string
    XSOAR incident description
    ActionCreateXsoarIncidentParamIncidentName string
    XSOAR incident name
    ActionCreateXsoarIncidentParamOccurred string
    XSOAR incident time
    ActionCreateXsoarIncidentParamSendAllServers string
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    ActionCreateXsoarIncidentParamServerUrl string
    XSOAR Server instance URL (Should start with https:// || http://)
    ActionCreateXsoarIncidentParamSeverity string
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    ActionCreateXsoarIncidentParamType string
    XSOAR incident type
    ActionEmail bool
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionEmailAuthPassword string
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    ActionEmailAuthUsername string
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    ActionEmailBcc string
    BCC email address to use if action.email is enabled.
    ActionEmailCc string
    CC email address to use if action.email is enabled.
    ActionEmailCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionEmailFormat string
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    ActionEmailFrom string
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    ActionEmailHostname string
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    ActionEmailIncludeResultsLink int
    Specify whether to include a link to the results. Defaults to 0.
    ActionEmailIncludeSearch int
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    ActionEmailIncludeTrigger int
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    ActionEmailIncludeTriggerTime int
    Specify whether to show the time that the alert was fired. Defaults to 0.
    ActionEmailIncludeViewLink int
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    ActionEmailInline bool
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    ActionEmailMailserver string
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    ActionEmailMaxResults int
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    ActionEmailMaxTime string
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    ActionEmailMessageAlert string
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    ActionEmailMessageReport string
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    ActionEmailPdfview string
    The name of the view to deliver if sendpdf is enabled
    ActionEmailPreprocessResults string
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    ActionEmailReportCidFontList string
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    ActionEmailReportIncludeSplunkLogo bool
    Indicates whether to include the Splunk logo with the report.
    ActionEmailReportPaperOrientation string
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    ActionEmailReportPaperSize string
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    ActionEmailReportServerEnabled bool
    No Supported
    ActionEmailReportServerUrl string
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    ActionEmailSendCsv int
    Specify whether to send results as a CSV file. Defaults to 0.
    ActionEmailSendPdf bool
    Indicates whether to create and send the results as a PDF. Defaults to false.
    ActionEmailSendResults bool
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    ActionEmailSubject string
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    ActionEmailTo string
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    ActionEmailTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionEmailTtl string
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    ActionEmailUseSsl bool
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    ActionEmailUseTls bool
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    ActionEmailWidthSortColumns bool
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    ActionJiraServiceDeskParamAccount string
    Jira Service Desk account name
    ActionJiraServiceDeskParamJiraDescription string
    Jira issue description
    ActionJiraServiceDeskParamJiraIssueType string
    Jira issue type name
    ActionJiraServiceDeskParamJiraPriority string
    Jira priority of issue
    ActionJiraServiceDeskParamJiraProject string
    Jira Project name
    ActionJiraServiceDeskParamJiraSummary string
    Jira issue title/summary
    ActionPagerdutyCustomDetails string
    The PagerDuty custom details information.
    ActionPagerdutyIntegrationKey string
    The PagerDuty integration Key.
    ActionPagerdutyIntegrationKeyOverride string
    The PagerDuty integration Key override.
    ActionPagerdutyIntegrationUrl string
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPagerdutyIntegrationUrlOverride string
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    ActionPopulateLookup bool
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionPopulateLookupCommand string
    The search command (or pipeline) which is responsible for executing the action.
    ActionPopulateLookupDest string
    Lookup name of path of the lookup to populate
    ActionPopulateLookupHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionPopulateLookupMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionPopulateLookupMaxTime int
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    ActionPopulateLookupTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionPopulateLookupTtl string
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    ActionRss bool
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    ActionRssCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionRssHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionRssMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionRssMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionRssTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionRssTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionScript bool
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionScriptCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionScriptFilename string
    File name of the script to call. Required if script action is enabled
    ActionScriptHostname string
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionScriptMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionScriptMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionScriptTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionScriptTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionSlackParamAttachment string
    Include a message attachment. Valid values are message, none, or alert_link
    ActionSlackParamChannel string
    Slack channel to send the message to (Should start with # or @)
    ActionSlackParamFields string
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    ActionSlackParamMessage string
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    ActionSlackParamWebhookUrlOverride string
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    ActionSnowEventParamAccount string
    Account(s) for which the event is/ are to be created across ServiceNow instance(s).
    ActionSnowEventParamAdditionalInfo string
    You can pass additional information that might be of use to the user. This field can also be used to supply the URL of your Splunk search head. When you use the snow_event.py alert-triggered script, the Splunk platform uses the URL to create a deep link that allows a ServiceNow user to navigate back to this Splunk platform search. You can find the resulting full URL for navigation from ServiceNow to the Splunk platform search by clicking Splunk Drilldown in the event page in ServiceNow. See an example below. Note that if you create events using the commands snowevent or snoweventstream, you must supply the URL in this field.You can pass the URL of Splunk as url=. You can also pass other fields and their values by || separated key-value format. For example, url=||k1=v1||k2=v2||....
    ActionSnowEventParamCiIdentifier string
    String that represents a configuration item in your network. You can pass value as || separated key-value format. For example, k1=v1||k2=v2.
    ActionSnowEventParamCustomFields string
    The custom fields which are configured at the ServiceNow Instance. You can pass the custom fields and their values in the || separated format. For example, custom_field1=value1||custom_field2=value2||...custom_fields used must be present in the em_event table of ServiceNow.
    ActionSnowEventParamDescription string
    A brief description of the event.
    ActionSnowEventParamNode string
    The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.
    ActionSnowEventParamResource string
    The resource, formatted to follow your organization's ITIL standards and mapping. For example, resource='CPU'.
    ActionSnowEventParamSeverity int
    The severity associated with the event. 0 - Clear 1 - Critical 2 - Major 3 - Minor 4 - Warning
    ActionSnowEventParamType string
    The type, formatted to follow your organization's ITIL standards and mapping. For example, type='Virtual Machine'.
    ActionSummaryIndex bool
    The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    ActionSummaryIndexCommand string
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    ActionSummaryIndexHostname string
    Sets the hostname used in the web link (url) sent in summary-index alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    ActionSummaryIndexInline bool
    Determines whether to execute the summary indexing action as part of the scheduled search.NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).Defaults to true
    ActionSummaryIndexMaxResults int
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    ActionSummaryIndexMaxTime int
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    ActionSummaryIndexName string
    Specifies the name of the summary index where the results of the scheduled search are saved.Defaults to summary.
    ActionSummaryIndexTrackAlert bool
    Indicates whether the execution of this action signifies a trackable alert.
    ActionSummaryIndexTtl string
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    ActionWebhookParamUrl string
    URL to send the HTTP POST request to. Must be accessible from the Splunk server
    Actions string
    A comma-separated list of actions to enable. For example: rss,email
    AlertComparator string
    One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by percUsed with alert_threshold to trigger alert actions.
    AlertCondition string
    Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
    AlertDigestMode bool
    Specifies whether alert actions are applied to the entire result set or on each individual result.Defaults to 1 (true).
    AlertExpires string
    Valid values: [number][time-unit]Sets the period of time to show the alert in the dashboard. Defaults to 24h.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertSeverity int
    Valid values: (1 | 2 | 3 | 4 | 5 | 6) Sets the alert severity level.Valid values are:1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL Defaults to 3.
    AlertSuppress bool
    Indicates whether alert suppression is enabled for this scheduled search.
    AlertSuppressFields string
    Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
    AlertSuppressPeriod string
    Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled.Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.
    AlertThreshold string
    Valid values are: Integer[%]Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to rises by perc or drops by perc.
    AlertTrack bool
    Valid values: (true | false | auto) Specifies whether to track the actions triggered by this scheduled search.auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. Default value true - force alert tracking.false - disable alert tracking for this search.
    AlertType string
    What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
    AllowSkew string
    Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods.
    AutoSummarize bool
    Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.
    AutoSummarizeCommand string
    An auto summarization template for this search. See auto summarization options in savedsearches.conf for more details.
    AutoSummarizeCronSchedule string
    Cron schedule that probes and generates the summaries for this saved search.The default value is */10 * * * * and corresponds to `every ten hours`.
    AutoSummarizeDispatchEarliestTime string
    A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchLatestTime string
    A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    AutoSummarizeDispatchTimeFormat string
    Defines the time format that Splunk software uses to specify the earliest and latest time. Defaults to %FT%T.%Q%:z
    AutoSummarizeDispatchTtl string
    Valid values: Integer[p]. Defaults to 60.Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.
    AutoSummarizeMaxDisabledBuckets int
    The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.
    AutoSummarizeMaxSummaryRatio float64
    The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1 Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.
    AutoSummarizeMaxSummarySize int
    The minimum summary size, in bytes, before testing whether the summarization is helpful.The default value is 52428800 and is equivalent to 5MB.
    AutoSummarizeMaxTime int
    Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600.Note: This is an approximate time. The summary search stops at clean bucket boundaries.
    AutoSummarizeSuspendPeriod string
    Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.Defaults to 24h.
    AutoSummarizeTimespan string
    The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.
    CronSchedule string
    Valid values: cron stringThe cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
    Description string
    Human-readable description of this saved search. Defaults to empty string.
    Disabled bool
    Indicates if the saved search is enabled. Defaults to 0.Disabled saved searches are not visible in Splunk Web.
    DispatchBuckets int
    The maximum number of timeline buckets. Defaults to 0.
    DispatchEarliestTime string
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexEarliest string
    A time string that specifies the earliest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexLatest string
    A time string that specifies the latest index time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtime bool
    A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchIndexedRealtimeMinspan int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchIndexedRealtimeOffset int
    Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf.
    DispatchLatestTime string
    A time string that specifies the latest time for this saved search. Can be a relative or absolute time.If this value is an absolute time, use the dispatch.time_format to format the value.
    DispatchLookups bool
    Enables or disables the lookups for this search. Defaults to 1.
    DispatchMaxCount int
    The maximum number of results before finalizing the search. Defaults to 500000.
    DispatchMaxTime int
    Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.
    DispatchReduceFreq int
    Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.
    DispatchRtBackfill bool
    Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.
    DispatchRtMaximumSpan int
    Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf.
    DispatchSpawnProcess bool
    Specifies whether a new search process spawns when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.
    DispatchTimeFormat string
    A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z
    DispatchTtl string
    Valid values: Integer[p]. Defaults to 2p.Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
    DisplayView string
    Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
    IsScheduled bool
    Whether this search is to be run on a schedule
    IsVisible bool
    Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.
    MaxConcurrent int
    The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.
    Name string
    A name for the search.
    RealtimeSchedule bool
    Defaults to 1. Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.
    RequestUiDispatchApp string
    Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
    RequestUiDispatchView string
    Specifies a field used by Splunk Web to denote the view this search should be displayed in.
    RestartOnSearchpeerAdd bool
    Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1.
    RunOnStartup bool
    Indicates whether this search runs at startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set to 1 for scheduled searches that populate lookup tables.
    SchedulePriority string
    Raises the scheduling priority of the named search. Defaults to Default
    ScheduleWindow string
    Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period.Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.
    Search string
    Required when creating a new search.
    Vsid string
    Defines the viewstate id associated with the UI view listed in 'displayview'.
    WorkloadPool string
    Specifies the new workload pool where the existing running search will be placed.`
    acl SavedSearchesAcl
    The app/user context that is the namespace for the resource
    actionCreateXsoarIncident String
    Enable XSOAR alerting (Should by 1 (Enabled) or 0 (Disabled))
    actionCreateXsoarIncidentParamCustomFields String
    XSOAR custom incident fields (should be a comma separated list)
    actionCreateXsoarIncidentParamDetails String
    XSOAR incident description
    actionCreateXsoarIncidentParamIncidentName String
    XSOAR incident name
    actionCreateXsoarIncidentParamOccurred String
    XSOAR incident time
    actionCreateXsoarIncidentParamSendAllServers String
    Enable XSOAR alerting sending to all servers (Should by 1 (Enabled) or 0 (Disabled)
    actionCreateXsoarIncidentParamServerUrl String
    XSOAR Server instance URL (Should start with https:// || http://)
    actionCreateXsoarIncidentParamSeverity String
    XSOAR Severity (1 - Low, 2 - Medium, 3 - High, 4 - Critical)
    actionCreateXsoarIncidentParamType String
    XSOAR incident type
    actionEmail Boolean
    The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionEmailAuthPassword String
    The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart.Defaults to empty string.
    actionEmailAuthUsername String
    The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty stringNOTE: Your SMTP server might reject unauthenticated emails.
    actionEmailBcc String
    BCC email address to use if action.email is enabled.
    actionEmailCc String
    CC email address to use if action.email is enabled.
    actionEmailCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionEmailFormat String
    Valid values: (table | plain | html | raw | csv)Specify the format of text in the email. This value also applies to any attachments.
    actionEmailFrom String
    Email address from which the email action originates.Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.
    actionEmailHostname String
    Sets the hostname used in the web link (url) sent in email actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)
    actionEmailIncludeResultsLink Integer
    Specify whether to include a link to the results. Defaults to 0.
    actionEmailIncludeSearch Integer
    Specify whether to include the search that caused an email to be sent. Defaults to 0.
    actionEmailIncludeTrigger Integer
    Specify whether to show the trigger condition that caused the alert to fire. Defaults to 0.
    actionEmailIncludeTriggerTime Integer
    Specify whether to show the time that the alert was fired. Defaults to 0.
    actionEmailIncludeViewLink Integer
    Specify whether to show the title and a link to enable the user to edit the saved search. Defaults to 0.
    actionEmailInline Boolean
    Indicates whether the search results are contained in the body of the email.Results can be either inline or attached to an email.
    actionEmailMailserver String
    Set the address of the MTA server to be used to send the emails.Defaults to or whatever is set in alert_actions.conf.
    actionEmailMaxResults Integer
    Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.
    actionEmailMaxTime String
    Valid values are Integer[m|s|h|d].Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.
    actionEmailMessageAlert String
    Customize the message sent in the emailed alert. Defaults to: The alert condition for '$name$' was triggered.
    actionEmailMessageReport String
    Customize the message sent in the emailed report. Defaults to: The scheduled report '$name$' has run
    actionEmailPdfview String
    The name of the view to deliver if sendpdf is enabled
    actionEmailPreprocessResults String
    Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).Usually the preprocessing consists of filtering out unwanted internal fields.
    actionEmailReportCidFontList String
    Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.To skip loading any CID fonts, specify the empty string.Defaults to 'gb cns jp kor'
    actionEmailReportIncludeSplunkLogo Boolean
    Indicates whether to include the Splunk logo with the report.
    actionEmailReportPaperOrientation String
    Valid values: (portrait | landscape)Specifies the paper orientation: portrait or landscape. Defaults to portrait.
    actionEmailReportPaperSize String
    Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)Specifies the paper size for PDFs. Defaults to letter.
    actionEmailReportServerEnabled Boolean
    No Supported
    actionEmailReportServerUrl String
    Not supported.For a default locally installed report server, the URL is http://localhost:8091/
    actionEmailSendCsv Integer
    Specify whether to send results as a CSV file. Defaults to 0.
    actionEmailSendPdf Boolean
    Indicates whether to create and send the results as a PDF. Defaults to false.
    actionEmailSendResults Boolean
    Indicates whether to attach the search results in the email.Results can be either attached or inline. See action.email.inline.
    actionEmailSubject String
    Specifies an alternate email subject.Defaults to SplunkAlert-.
    actionEmailTo String
    A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
    actionEmailTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionEmailTtl String
    Valid values are Integer[p].Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours).If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.
    actionEmailUseSsl Boolean
    Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.
    actionEmailUseTls Boolean
    Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).Defaults to false.
    actionEmailWidthSortColumns Boolean
    Indicates whether columns should be sorted from least wide to most wide, left to right.Only valid if format=text.
    actionJiraServiceDeskParamAccount String
    Jira Service Desk account name
    actionJiraServiceDeskParamJiraDescription String
    Jira issue description
    actionJiraServiceDeskParamJiraIssueType String
    Jira issue type name
    actionJiraServiceDeskParamJiraPriority String
    Jira priority of issue
    actionJiraServiceDeskParamJiraProject String
    Jira Project name
    actionJiraServiceDeskParamJiraSummary String
    Jira issue title/summary
    actionPagerdutyCustomDetails String
    The PagerDuty custom details information.
    actionPagerdutyIntegrationKey String
    The PagerDuty integration Key.
    actionPagerdutyIntegrationKeyOverride String
    The PagerDuty integration Key override.
    actionPagerdutyIntegrationUrl String
    The pagerduty integration URL. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPagerdutyIntegrationUrlOverride String
    The pagerduty integration URL override. This integration uses Splunk's native webhooks to send events to PagerDuty.
    actionPopulateLookup Boolean
    The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionPopulateLookupCommand String
    The search command (or pipeline) which is responsible for executing the action.
    actionPopulateLookupDest String
    Lookup name of path of the lookup to populate
    actionPopulateLookupHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionPopulateLookupMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionPopulateLookupMaxTime Integer
    Valid values are: Integer[m|s|h|d]Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
    actionPopulateLookupTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionPopulateLookupTtl String
    Valid values are Integer[p]Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
    actionRss Boolean
    The state of the rss action. Read-only attribute. Value ignored on POST.Use actions to specify a list of enabled actions. Defaults to 0.
    actionRssCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionRssHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionRssMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionRssMaxTime Integer
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionRssTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionRssTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionScript Boolean
    The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.
    actionScriptCommand String
    The search command (or pipeline) which is responsible for executing the action.Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.
    actionScriptFilename String
    File name of the script to call. Required if script action is enabled
    actionScriptHostname String
    Sets the hostname used in the web link (url) sent in alert actions.This value accepts two forms:hostname (for example, splunkserver, splunkserver.example.com)\n\nprotocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)
    actionScriptMaxResults Integer
    Sets the maximum number of search results sent using alerts. Defaults to 100.
    actionScriptMaxTime Integer
    Valid values are Integer[m|s|h|d].Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
    actionScriptTrackAlert Boolean
    Indicates whether the execution of this action signifies a trackable alert.
    actionScriptTtl String
    Valid values are: Integer[p] Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
    actionSlackParamAttachment String
    Include a message attachment. Valid values are message, none, or alert_link
    actionSlackParamChannel String
    Slack channel to send the message to (Should start with # or @)
    actionSlackParamFields String
    Show one or more fields from the search results below your Slack message. Comma-separated list of field names. Allows wildcards. eg. index,source*
    actionSlackParamMessage String
    Enter the chat message to send to the Slack channel. The message can include tokens that insert text based on the results of the search.
    actionSlackParamWebhookUrlOverride String
    You can override the Slack webhook URL here if you need to send the alert message to a different Slack team
    actionSnowEventParamAccount