Splunk · Schema
SearchJobCreateRequest
AnalyticsData AnalysisLoggingMachine DataMonitoringObservabilityPlatformSecuritySIEM
Properties
| Name | Type | Description |
|---|---|---|
| search | string | The SPL search query to execute |
| earliest_time | string | Earliest time for the search using relative or absolute time format |
| latest_time | string | Latest time for the search |
| search_mode | string | The search mode |
| exec_mode | string | Execution mode. Normal runs asynchronously, oneshot runs synchronously, blocking waits for completion. |
| max_count | integer | Maximum number of results to return |
| max_time | integer | Maximum time in seconds before the search is finalized |
| timeout | integer | Number of seconds to keep the search after processing has stopped |
| rf | string | Comma-separated list of required fields to include in results |
| namespace | string | Application namespace for the search |
| id | string | Optional custom search ID. If not specified, Splunk generates one automatically. |
| status_buckets | integer | Number of status buckets to generate for the search timeline. Set to a value greater than 0 to enable timeline. |
| auto_cancel | integer | Seconds of inactivity after which the search is automatically cancelled. 0 means never auto-cancel. |
| auto_finalize_ec | integer | Auto-finalize the search after this number of events have been processed. 0 disables auto-finalize. |
| auto_pause | integer | Seconds of inactivity after which the search is automatically paused. 0 means never auto-pause. |
| enable_lookups | boolean | Whether to enable lookups during the search |
| reload_macros | boolean | Whether to reload macro definitions before the search |
| reduce_freq | integer | How frequently to invoke the reduce phase (seconds) |
| spawn_process | boolean | Whether to run the search in a separate process |