components: parameters: AuthorizationHeader: description: | Access token provided by the user (obtained from a known identity provider). in: header name: Authorization required: true schema: pattern: ^Bearer .+ type: string Earliest: description: | The earliest time filter, in absolute time. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2021-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. in: query name: earliest schema: type: string Field: description: | One or more fields to return for the result set. Use a comma-separated list of field names to specify multiple fields. in: query name: field schema: type: string Latest: description: | The latest time filter in absolute time. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2021-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. Latest time must be after Earliest time. in: query name: latest schema: type: string SidFilter: description: | Filter the list of jobs by 'sid'. Valid format is `sid IN ({comma-separated list of SIDs. Each SID must be enclosed in double quotation marks.})`. A maximum of 30 SIDs can be specified in one query. in: query name: filter schema: type: string StatusFilter: description: | Filter the list of jobs by status. Valid status values are 'running', 'done', 'canceled', or 'failed'. in: query name: status schema: $ref: '#/components/schemas/SearchStatus' connectionName: description: The name of the federated connection. in: path name: connectionName required: true schema: type: string count: description: | The maximum number of jobs that you want to return the status entries for. in: query name: count schema: default: 1000 type: integer datasetid: description: The dataset ID. in: path name: datasetid required: true schema: type: string filename: description: | The export results filename. Default: exportResults in: query name: filename schema: type: string offset: description: Index number identifying the location of the first item to return. in: query name: offset schema: default: 0 type: integer outputMode: description: | Specifies the format for the returned output. in: query name: outputMode schema: enum: - csv - json type: string sid: description: The search ID. in: path name: sid required: true schema: type: string tenant: description: The system tenant ID. in: path name: tenant required: true schema: type: string schemas: Dataset: description: A complete dataset as rendered in POST, PATCH responses. discriminator: mapping: federated: '#/components/schemas/FederatedDataset' index: '#/components/schemas/IndexDataset' kvcollection: '#/components/schemas/KVCollectionDataset' lookup: '#/components/schemas/LookupDataset' metric: '#/components/schemas/MetricDataset' propertyName: kind oneOf: - $ref: '#/components/schemas/LookupDataset' - $ref: '#/components/schemas/IndexDataset' - $ref: '#/components/schemas/FederatedDataset' - $ref: '#/components/schemas/MetricDataset' - $ref: '#/components/schemas/KVCollectionDataset' DatasetCommon: description: Properties that are common across all Dataset kinds rendered in POST, PATCH, and GET responses. properties: appclientidcreatedby: description: AppClinetId of the creator app of the dataset. type: string appclientidmodifiedby: description: AppClinetId of the modifier app of the dataset. type: string description: description: Detailed description of the dataset. type: string id: description: A unique dataset ID. example: 5bbf6d876d059d0b9ea8da3e format: mongo-object-id maxLength: 24 minLength: 24 type: string name: description: The dataset name. Dataset names must be unique within each module. example: nameOfDataset maxLength: 100 type: string namespace: description: The name of the namespace that contains the dataset. example: nameOfNamespace maxLength: 100 type: string resourcename: description: The dataset name qualified by the module name. example: nameOfModule.nameOfDataset maxLength: 201 type: string summary: description: Summary of the dataset's purpose. type: string title: description: The title of the dataset. Does not have to be unique. example: titleOfDataset type: string required: - id - module - name - resourcename type: object DatasetPATCH: description: Property values to be set in an existing dataset using a PATCH request. oneOf: - $ref: '#/components/schemas/LookupDatasetPATCH' - $ref: '#/components/schemas/IndexDatasetPATCH' - $ref: '#/components/schemas/FederatedDatasetPATCH' - $ref: '#/components/schemas/MetricDatasetPATCH' - $ref: '#/components/schemas/KVCollectionDatasetPATCH' DatasetPATCHCommon: description: Properties that are common across all Dataset kinds to be set in an existing dataset using a PATCH request. properties: module: description: The name of module to reassign dataset into. example: nameOfModule maxLength: 100 type: string name: description: The dataset name. Dataset names must be unique within each module. example: nameOfDataset maxLength: 100 type: string owner: description: The name of the dataset owner. This value is obtained from the bearer token. example: johndoe maxLength: 24 type: string type: object DatasetPOST: description: Properties that are common across all Dataset kinds for creating a new dataset using a POST request. properties: fields: description: The fields to be associated with this dataset. items: $ref: '#/components/schemas/FieldPOST' type: array id: description: A unique dataset ID. Random ID used if not provided. example: 5bc3c0cdfee0d854a4188132 format: mongo-object-id maxLength: 24 minLength: 24 type: string module: description: The name of the module to create the new dataset in. example: nameOfModule maxLength: 100 type: string name: description: The dataset name. Dataset names must be unique within each module. example: nameOfDataset maxLength: 100 type: string required: - name type: object DatasetReadOnlyProperties: description: Properties of metric datasets which can only be read through the API. properties: earliestEventTime: description: The timestamp, in seconds, of the earliest measure. The timestamp is in UNIX time. readOnly: true type: string earliestIngestTime: description: The earliest index time for any of the measures in this index. readOnly: true type: string latestEventTime: description: The timestamp, in seconds, of the latest measure. The timestamp is in UNIX time. readOnly: true type: string latestIngestTime: description: The earliest index time for any of the measures in this index. readOnly: true type: string latestMetadataUpdateTime: description: The latest time that the metric index metadata was refreshed. readOnly: true type: string totalEventCount: description: THe number of measures in the metric index. readOnly: true type: integer totalSize: description: For metrics indexes, the totalSize is set to 0. readOnly: true type: integer type: object DateMetadataProperties: description: Created and Modified date-time properties for inclusion in other objects. properties: created: description: The date and time object was created. example: "2018-10-14 10:18:53.000417" pattern: '[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1]) (2[0-3]|[01][0-9]):[0-5][0-9]:[0-5][0-9].[0-9]{6}' readOnly: true type: string modified: description: The date and time object was modified. example: "2018-10-11 07:56:35.000770" pattern: '[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1]) (2[0-3]|[01][0-9]):[0-5][0-9]:[0-5][0-9].[0-9]{6}' readOnly: true type: string required: - created - modified type: object DeleteSearchJob: description: A delete search job, including read-only fields that includes the required properties. properties: allowSideEffects: default: true description: | Specifies that the delete search job contains side effects, with possible security risks. readOnly: true type: boolean collectEventSummary: default: false description: | This property does not apply to delete search jobs endpoint and is set to false by default. readOnly: true type: boolean collectFieldSummary: default: false description: | This property does not apply to delete search jobs endpoint and is set to false by default. readOnly: true type: boolean collectTimeBuckets: default: false description: | This property does not apply to delete search jobs endpoint and is set to false by default. readOnly: true type: boolean completionTime: description: | The time, in GMT, that the search job is finished. Empty if the search job has not completed. readOnly: true type: string dispatchTime: description: | The time, in GMT, that the search job is dispatched. readOnly: true type: string enablePreview: default: false description: | This property does not apply to delete search jobs endpoint and is set to false by default. readOnly: true type: boolean extractFields: default: none description: | Specifies how the Search service should extract fields. Valid values include 'all', 'none', or 'indexed'. 'all' will extract all fields, 'indexed' will extract only indexed fields, and 'none' will extract only the default fields. This parameter overwrites the value of the 'extractAllFields' parameter. Set to 'none' for better search performance. type: string index: description: The index to delete the events from. type: string maxTime: default: 3600 description: | The amount of time, in seconds, to run the delete search job before finalizing the search. The maximum value is 3600 seconds (1 hour). maximum: 3600 minimum: 1 type: integer messages: items: $ref: '#/components/schemas/Message' type: array module: description: The module to run the delete search job in. The default module is used if the module field is empty. type: string name: description: The name of the search job. maxLength: 100 readOnly: true type: string percentComplete: default: 0 description: An estimate of the percent of time remaining before the delete search job completes. readOnly: true type: integer predicate: description: The predicate expression that identifies the events to delete from the index. This expression must return true or false. To delete all events from the index, specify "true" instead of an expression. type: string previewAvailable: default: false description: This property does not apply to delete search jobs endpoint and is set to false by default. readOnly: true type: string query: description: The SPL search string that includes the index, module, and predicate that you specify. readOnly: true type: string queryParameters: allOf: - $ref: '#/components/schemas/QueryParameters' description: Represents parameters on the search job such as 'earliest' and 'latest'. requiredFreshness: default: 0 description: | This property does not apply to delete search jobs endpoint and is set to 0 by default. readOnly: true type: integer resolvedEarliest: description: | The earliest time specified as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resolvedLatest: description: | The latest time specified as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resultsAvailable: default: 0 description: The number of results produced so far by the delete search job that are going to be deleted. readOnly: true type: integer resultsPreviewAvailable: default: 0 description: This property does not apply to delete search jobs endpoint and is set to 0 by default. readOnly: true type: integer sid: description: The ID assigned to the delete search job. readOnly: true type: string status: $ref: '#/components/schemas/SearchStatus' required: - index - module - predicate type: object Error: properties: code: type: string details: items: type: object type: array message: type: string type: object FederatedConnection: description: A fully constructed federated connection object. properties: created: description: The timestamp when the federated connection was created. example: 2021-06-01 23:08:51.888000Z type: string createdby: description: The user who created the federated connection. example: user@example.com type: string hostnameip: description: The remote hostname to connect yo. example: ec-botsv2.portal.io maxLength: 100 type: string modified: description: The timestamp when the federated connection was modified. example: 2021-06-01 23:08:51.888000Z type: string modifiedby: description: The user who last modified the federated connection. example: user@example.com type: string name: description: The name of the federated connection. example: connectionobject maxLength: 100 type: string port: description: The remote port number. example: 8080 type: number serviceaccountuser: description: The username on the service account. example: username maxLength: 100 type: string type: object FederatedConnectionInput: description: | The property values for creating a new federated connection using a PUT or POST request. properties: hostnameip: description: The remote hostname to connect to. example: ec-botsv2.portal.io maxLength: 100 type: string name: description: The name of the federated connection. example: connectionobject maxLength: 100 type: string port: description: The remote port number. example: 8080 type: number serviceaccountpassword: description: The password of the service account. example: password maxLength: 100 type: string serviceaccountuser: description: The username on the service account. example: username maxLength: 100 type: string required: - name - hostnameip - port - serviceaccountuser - serviceaccountpassword type: object FederatedDataset: allOf: - $ref: '#/components/schemas/FederatedDatasetProperties' - $ref: '#/components/schemas/MetadataProperties' - $ref: '#/components/schemas/DatasetCommon' description: A complete federated dataset as rendered in POST, PATCH, and GET responses. required: - kind - federatedConnection - federatedDataset - federatedDatasetKind type: object FederatedDatasetKind: description: The dataset kind. enum: - federated type: string FederatedDatasetPATCH: allOf: - $ref: '#/components/schemas/FederatedDatasetProperties' - $ref: '#/components/schemas/DatasetPATCHCommon' description: Property values to be set in an existing federated dataset using a PATCH request. FederatedDatasetProperties: description: Properties of job datasets which may be read, set, and changed through the API. Implementation detail of DatasetPOST, DatasetPATCH, and Dataset, do not use directly. properties: federatedConnection: description: Connection information to connect to remote federated connection. type: string federatedDataset: description: Dataset information in the remote instance. type: string federatedDatasetKind: description: Dataset kind information in the remote instance. type: string kind: $ref: '#/components/schemas/FederatedDatasetKind' type: object Field: description: Initial property values for creating a new field using a POST request. properties: datasetid: description: The dataset that the field is part of. example: 5bc1a6fefee0d854a4188125 format: mongo-object-id maxLength: 24 minLength: 24 type: string datatype: $ref: '#/components/schemas/FieldDataType' description: description: The field description. example: Count of all the users in the request type: string fieldtype: $ref: '#/components/schemas/FieldType' id: description: The unique ID of this field. example: 5bc1a7a0fee0d854a418812e format: mongo-object-id maxLength: 24 minLength: 24 type: string indexed: description: Whether or not the field has been indexed. type: boolean name: description: The field name. example: nameOfField maxLength: 100 type: string prevalence: $ref: '#/components/schemas/FieldPrevalence' summary: description: The field summary. example: Count of the users type: string title: description: The field title. example: User Count type: string required: - name type: object FieldDataType: description: The type of data in the field. Must be one of the valid values. enum: - DATE - NUMBER - OBJECT_ID - STRING - UNKNOWN type: string FieldPOST: allOf: - $ref: '#/components/schemas/FieldProperties' description: Initial property values for creating a new field using a POST request. required: - name type: object FieldPrevalence: description: How frequent the field appears in the dataset. Must be one of the valid values. enum: - ALL - SOME - UNKNOWN type: string FieldProperties: description: Properties of fields which can be read, set, and changed through the API. Implementation detail of FieldPOST, FieldPATCH, and Field, do not use directly. properties: datatype: $ref: '#/components/schemas/FieldDataType' description: description: The field description. example: Count of all the users in the request type: string fieldtype: $ref: '#/components/schemas/FieldType' indexed: description: Whether or not the field has been indexed. type: boolean name: description: The field name. example: nameOfField maxLength: 100 type: string prevalence: $ref: '#/components/schemas/FieldPrevalence' summary: description: The field summary. example: Count of the users type: string title: description: The field title. example: User Count type: string FieldType: description: The type of field. Must be one of the valid values. enum: - DIMENSION - MEASURE - UNKNOWN type: string FieldsSummary: description: A statistical summary of the fields in the events to date, for the search ID (SID). properties: duration: description: The amount of time, in seconds, that a time bucket spans from the earliest to the latest time. format: double type: number earliestTime: description: The earliest timestamp, in UTC format, of the events to process. type: string eventCount: description: The total number of events for all fields returned in the time range (earliestTime and latestTime) specified. type: integer fields: additionalProperties: $ref: '#/components/schemas/SingleFieldSummary' description: A list of the fields in the time range specified. type: object latestTime: description: The latest timestamp, in UTC format, of the events to process. type: string type: object IndexDataset: allOf: - $ref: '#/components/schemas/IndexDatasetProperties' - $ref: '#/components/schemas/IndexDatasetReadOnlyProperties' - $ref: '#/components/schemas/MetadataProperties' - $ref: '#/components/schemas/DatasetCommon' description: A complete index dataset as rendered in POST, PATCH, and GET responses. required: - kind - disabled type: object IndexDatasetKind: description: The dataset kind. enum: - index type: string IndexDatasetPATCH: allOf: - $ref: '#/components/schemas/IndexDatasetProperties' - $ref: '#/components/schemas/DatasetPATCHCommon' description: Property values to be set in an existing index dataset using a PATCH request. IndexDatasetProperties: description: Properties of job datasets which may be read, set, and changed through the API. Implementation detail of DatasetPOST, DatasetPATCH, and Dataset, do not use directly. properties: disabled: description: Specifies whether or not the Splunk index is disabled. type: boolean frozenTimePeriodInSecs: description: The frozenTimePeriodInSecs to use for the index type: integer kind: $ref: '#/components/schemas/IndexDatasetKind' type: object IndexDatasetReadOnlyProperties: description: Properties of index datasets which can only be read through the API. properties: earliestEventTime: description: The timestamp, in seconds, of the earliest event. The timestamp is in UNIX time. type: string earliestIngestTime: description: The earliest index time for any of the events in this index. type: string kind: $ref: '#/components/schemas/IndexDatasetKind' latestEventTime: description: The timestamp, in seconds, of the latest event. The timestamp is in UNIX time. type: string latestIngestTime: description: The latest index time for any of the events in this index. type: string latestMetadataUpdateTime: description: The latest time that the index metadata was refreshed. type: string totalEventCount: description: The number of events in the index. format: int64 type: integer totalSize: description: The raw size, in bytes, of the uncompressed data in the indexers. format: int64 type: integer type: object KVCollectionDataset: allOf: - $ref: '#/components/schemas/KVCollectionDatasetProperties' - $ref: '#/components/schemas/MetadataProperties' - $ref: '#/components/schemas/DatasetCommon' description: A complete kvcollection dataset as rendered in POST, PATCH, and GET responses. required: - kind type: object KVCollectionDatasetKind: description: The dataset kind. enum: - kvcollection type: string KVCollectionDatasetPATCH: allOf: - $ref: '#/components/schemas/KVCollectionDatasetProperties' - $ref: '#/components/schemas/DatasetPATCHCommon' description: Property values to be set in an existing kvcollection dataset using a PATCH request. KVCollectionDatasetProperties: description: Properties of kvcollection datasets which may be read, set, and changed through the API. Implementation detail of DatasetPOST, DatasetPATCH, and Dataset, do not use directly. properties: kind: $ref: '#/components/schemas/KVCollectionDatasetKind' type: object ListDatasets: description: A list of fully constructed datasets properties: results: description: List of all datasets items: $ref: '#/components/schemas/Dataset' type: array type: object ListFederatedConnections: description: A list of federated connections items: $ref: '#/components/schemas/FederatedConnection' type: array ListPreviewResultsResponse: description: The structure of the response body for the preview search results that is returned for the job with the specified search ID (SID). When search is running, it might return incomplete or truncated search results. The isPreviewStable property indicates whether the returned preview results stucture is stable or not. Truncated preview results occur because the number of requested results exceeds the page limit. Use the 'nextLink' URL to retrieve the next page of results. properties: fields: items: properties: dataSource: type: string groupbyRank: type: string name: type: string splitField: type: string splitValue: type: string splitbySpecial: type: string typeSpecial: type: string required: - name type: object type: array isPreviewStable: type: boolean messages: items: $ref: '#/components/schemas/Message' type: array nextLink: type: string results: items: type: object type: array wait: type: string required: - results - isPreviewStable type: object ListSearchResultsResponse: description: | The structure of the search results or events metadata that is returned for the job with the specified search ID (SID). When search is running, it might return incomplete or truncated search results. Incomplete search results occur when a search has not completed. Wait until search completes for full result set. Truncated search results occur because the number of requested results exceeds the page limit. Use the 'nextLink' URL to retrieve the next page of results. properties: fields: items: properties: dataSource: type: string groupbyRank: type: string name: type: string splitField: type: string splitValue: type: string splitbySpecial: type: string typeSpecial: type: string required: - name type: object type: array messages: items: $ref: '#/components/schemas/Message' type: array nextLink: type: string results: items: type: object type: array wait: type: string required: - results type: object LookupDataset: allOf: - $ref: '#/components/schemas/LookupDatasetProperties' - $ref: '#/components/schemas/MetadataProperties' - $ref: '#/components/schemas/DatasetCommon' description: A complete lookup dataset as rendered in POST, PATCH, and GET responses. required: - kind - externalKind - externalName type: object LookupDatasetExternalKind: description: The type of the external lookup. enum: - kvcollection type: string LookupDatasetKind: description: The dataset kind. enum: - lookup type: string LookupDatasetPATCH: allOf: - $ref: '#/components/schemas/LookupDatasetProperties' - $ref: '#/components/schemas/DatasetPATCHCommon' description: Property values to be set in an existing lookup dataset using a PATCH request. LookupDatasetProperties: description: Properties of lookup datasets which may be read, set, and changed through the API. Implementation detail of DatasetPOST, DatasetPATCH, and Dataset, do not use directly. properties: caseSensitiveMatch: default: true description: Match case-sensitively against the lookup. type: boolean externalKind: $ref: '#/components/schemas/LookupDatasetExternalKind' externalName: description: The name of the external lookup. example: nameOfKvCollection type: string filter: description: A query that filters results out of the lookup before those results are returned. type: string kind: $ref: '#/components/schemas/LookupDatasetKind' Message: description: The message field in search results or search jobs. The types of messages are INFO, DEBUG, FATAL, and ERROR. properties: text: type: string type: enum: - INFO - DEBUG - FATAL - ERROR type: string MetadataProperties: allOf: - $ref: '#/components/schemas/DateMetadataProperties' - $ref: '#/components/schemas/UserMetadataProperties' description: Created, createdby, modified, modifiedby, and owner properties for inclusion in other objects. MetricDataset: allOf: - $ref: '#/components/schemas/MetricDatasetProperties' - $ref: '#/components/schemas/MetricDatasetReadOnlyProperties' - $ref: '#/components/schemas/MetadataProperties' - $ref: '#/components/schemas/DatasetCommon' description: A complete metric dataset as rendered in POST, PATCH, and GET responses. required: - kind - disabled type: object MetricDatasetKind: description: The dataset kind. enum: - metric type: string MetricDatasetPATCH: allOf: - $ref: '#/components/schemas/MetricDatasetProperties' - $ref: '#/components/schemas/DatasetPATCHCommon' description: Property values to be set in an existing metric dataset using a PATCH request. MetricDatasetProperties: description: Properties of metric datasets which may be read, set, and changed through the API. Implementation detail of DatasetPOST, DatasetPATCH, and Dataset, do not use directly. properties: disabled: description: Specifies whether or not the Splunk index is disabled. type: boolean frozenTimePeriodInSecs: description: The frozenTimePeriodInSecs to use for the index type: integer kind: $ref: '#/components/schemas/MetricDatasetKind' type: object MetricDatasetReadOnlyProperties: description: Properties of metric datasets which can only be read through the API. properties: earliestEventTime: description: The timestamp, in seconds, of the earliest measure. The timestamp is in UNIX time. type: string earliestIngestTime: description: The earliest index time for any of the measures in this index. type: string kind: $ref: '#/components/schemas/MetricDatasetKind' latestEventTime: description: The timestamp, in seconds, of the latest measure. The timestamp is in UNIX time. type: string latestIngestTime: description: The earliest index time for any of the measures in this index. type: string latestMetadataUpdateTime: description: The latest time that the metric index metadata was refreshed. type: string totalEventCount: description: THe number of measures in the metric index. type: integer totalSize: description: For metrics indexes, the totalSize is set to 0. type: integer type: object QueryParameters: description: Represents parameters on the search job such as 'earliest' and 'latest'. properties: earliest: default: -24h@h description: | The earliest time, in absolute or relative format, to retrieve events. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2021-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. Latest time must be after Earliest time. type: string latest: default: now description: | The latest time, in absolute or relative format, to retrieve events. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2021-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. Latest time must be after Earliest time. type: string relativeTimeAnchor: default: The system time when the search job is created. description: | Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time. You can specify a relative time modifier ('earliest' or 'latest') for this parameter. For example, if 'earliest' is set to -d and the 'relativeTimeAnchor' is set to '2021-01-05T13:15:30Z' then 'resolvedEarliest' is '2021-01-04T13:15:30Z'. format: date-time type: string timezone: description: | The timezone that relative time modifiers are based off of. Timezone only applies to relative time literals for 'earliest' and 'latest'. If UNIX time or UTC format is used for 'earliest' and 'latest', this field is ignored. For the list of supported timezone formats, see https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps#zoneinfo_.28TZ.29_database type: string default: "GMT" type: object SearchJob: description: A search job, including read-only fields that includes the required properties. properties: allowSideEffects: default: false description: | Specifies whether a search that contains commands with side effects (with possible security risks) is allowed to run. type: boolean collectEventSummary: default: false description: | Specifies whether a search is allowed to collect event summary information during the run time. type: boolean collectFieldSummary: default: false description: | Specifies whether a search is allowed to collect field summary information during the run time. type: boolean collectTimeBuckets: default: false description: | Specifies whether a search is allowed to collect timeline bucket summary information during the run time. type: boolean completionTime: description: | The time, in GMT, that the search job is finished. Empty if the search job has not completed. readOnly: true type: string dispatchTime: description: | The time, in GMT, that the search job is dispatched. readOnly: true type: string enablePreview: default: false description: | Specifies whether a search is allowed to collect preview results during the run time. type: boolean extractAllFields: default: false description: | Specifies whether the Search service should extract all of the available fields in the data, including fields not mentioned in the SPL, for the search job. Set to 'false' for better search performance. The 'extractAllFields' parameter is deprecated as of version v3alpha1. Although this parameter continues to function, it might be removed in a future version. Use the 'extractFields' parameter instead. type: boolean extractFields: default: none description: | Specifies how the Search service should extract fields. Valid values include 'all', 'none', or 'indexed'. Use 'all' to extract all fields. Use 'indexed' to extract only indexed fields. Use 'none' to extract only the default fields. type: string maxTime: default: 3600 description: | The number of seconds to run the search before finalizing the search. The maximum value is 3600 seconds (1 hour). maximum: 3600 minimum: 1 type: integer messages: items: $ref: '#/components/schemas/Message' type: array module: default: "" description: The module to run the search in. The default module is used if a module is not specified. type: string name: description: The name of the search job. maxLength: 100 readOnly: true type: string percentComplete: default: 0 description: An estimate of the percent of time remaining before the job completes. readOnly: true type: integer previewAvailable: default: false description: Specifies if preview results for the search job are available. The valid status values are 'unknown', 'true', and 'false'. You must set the 'enablePreview=true' parameter to return preview search results. readOnly: true type: string query: description: The SPL search string. format: SPL2 type: string queryParameters: allOf: - $ref: '#/components/schemas/QueryParameters' description: Represents parameters on the search job such as 'earliest' and 'latest'. requiredFreshness: default: 0 description: | Specifies a maximum time interval, in seconds, between identical existing searches. The 'requiredFreshness' parameter is used to determine if an existing search with the same query and the same time boundaries can be reused, instead of running the same search again. Freshness is applied to the 'resolvedEarliest' and 'resolvedLatest' parameters. If an existing search has the same exact criteria as this search and the 'resolvedEarliest' and 'resolvedLatest' values are within the freshness interval, the existing search metadata is returned instead of initiating a new search job. By default, the 'requiredFreshness' parameter is set to 0 which means that the platform does not attempt to use an existing search. The maximum value for the 'requiredFreshness' parameter is 259200 seconds (72 hours). maximum: 259200 minimum: 0 type: integer resolvedEarliest: description: | The earliest time specified as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resolvedLatest: description: | The latest time specified as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resultsAvailable: default: 0 description: The number of results produced so far for the search job. readOnly: true type: integer resultsPreviewAvailable: default: 0 description: The number of the preview search results for the job with the specified search ID (SID). You must set the 'enablePreview=true' parameter to return preview search results. readOnly: true type: integer sid: description: The ID assigned to the search job. readOnly: true type: string status: $ref: '#/components/schemas/SearchStatus' required: - query type: object SearchStatus: description: | The current status of the search job. The valid status values are 'running', 'done', 'canceled', 'finalized' and 'failed'. enum: - running - done - canceled - failed - finalized type: string SingleFieldSummary: description: Summary of each field. properties: count: description: The total number of events that the field appears in. type: integer distinctCount: description: The total number of unique values in the field. type: integer isExact: description: | Specifies if the 'distinctCount' is accurate. When the count exceeds the maximum count, an approximate count is computed instead and the 'isExact' property is FALSE. type: boolean max: description: The maximum numeric value in the field. type: string mean: description: The mean (average) for the numeric value in the field. format: double type: number min: description: The minimum numeric value in the field. type: string modes: description: An array of the values in the field. items: allOf: - $ref: '#/components/schemas/SingleValueMode' type: array numericCount: description: The count of the numeric values in the field. type: integer relevant: description: Specifies if the field was added or changed by the search. type: boolean stddev: description: The standard deviation for the numeric values in the field. format: double type: number type: object SingleTimeBucket: description: The summary of events for a single time bucket. properties: availableCount: description: Count of available events. Not all events in a bucket are retrievable. Typically this count is capped at 10000. type: integer duration: format: double type: number earliestTime: description: The timestamp of the earliest event in the current bucket, in UNIX format. This is the same time as 'earliestTimeStrfTime' in UNIX format. format: double type: number earliestTimeStrfTime: description: The timestamp of the earliest event in the current bucket, in UTC format with seconds. For example 2021-01-25T13:15:30Z, which follows the ISO-8601 (%FT%T.%Q) format. type: string isFinalized: description: Specifies if all of the events in the current bucket have been finalized. type: boolean totalCount: description: The total count of the events in the current bucket. type: integer readOnly: true type: object SingleValueMode: description: Summary of the value in a field. properties: count: description: The number of occurrences that the value appears in a field. type: integer isExact: description: | Specifies if the count is accurate. When the count exceeds the maximum count, an approximate count is computed instead and the 'isExact' property is FALSE. type: boolean value: description: The value in the field. type: string type: object TimeBucketsSummary: description: | A timeline metadata model of the event distribution. The model shows the untransformed events that are read to date for a specific for search ID (SID). properties: IsTimeCursored: description: Specifies if the events are returned in time order. type: boolean buckets: items: allOf: - $ref: '#/components/schemas/SingleTimeBucket' type: array cursorTime: description: Identifies where the cursor is in processing the events. The 'cursorTime' is a timestamp specified in UNIX time. type: number eventCount: description: The number of events processed at the 'cursorTime'. type: integer type: object UpdateJob: description: Updates a search job with a status. properties: status: description: "Modify the status of an existing search job using PATCH. The only status values you can PATCH are 'canceled' and 'finalized'. You can PATCH the 'canceled' status only to a search job that is running. 'finalize' means to terminate the search job, and the status will be set to 'failed'. \n" enum: - canceled - finalized type: string required: - status type: object UserMetadataProperties: description: Owner, createdby, and modifiedby user name properties for inclusion in other objects. properties: createdby: description: The name of the user who created the object. This value is obtained from the bearer token and may not be changed. example: janedoe readOnly: true type: string modifiedby: description: The name of the user who most recently modified the object. example: suedoe readOnly: true type: string owner: description: The name of the object's owner. example: johndoe readOnly: true type: string required: - owner - createdby - modifiedby type: object securitySchemes: BasicAuth: scheme: basic type: http info: description: Use the Search service in Splunk Cloud Services to dispatch, review, and manage searches and search jobs. You can finalize or cancel jobs, retrieve search results, and request search-related configurations from the Metadata Catalog service in Splunk Cloud Services. title: Splunk Search service version: v2 openapi: 3.0.0 paths: /{tenant}/search/v2/connections: get: description: Returns all federated connections. operationId: getAllFederatedConnections responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListFederatedConnections' description: | All federated connections were returned successfully. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/AuthorizationHeader' post: description: | Creates a new federated connection with information about how to connect to a remote index. operationId: createFederatedConnection requestBody: content: application/json: schema: $ref: '#/components/schemas/FederatedConnectionInput' responses: "201": content: application/json: schema: $ref: '#/components/schemas/FederatedConnection' description: | The federated connection was created successfully. "400": description: The request payload isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. /{tenant}/search/v2/connections/{connectionName}: delete: description: | Deletes a federated connection with the specified name (connectionName) operationId: deleteFederatedConnection responses: "204": description: | The federated connection with the specified name (connectionName) was deleted successfully. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. get: description: | Returns the federated connection with the specified name (connectionName). operationId: getFederatedConnectionByName responses: "200": content: application/json: schema: $ref: '#/components/schemas/FederatedConnection' description: | The federated connection for the specified name (connectionName) was returned successfully. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/connectionName' put: description: | Creates or updates a federated connection with a specified name (connectionName). operationId: putFederatedConnectionByName requestBody: content: application/json: schema: $ref: '#/components/schemas/FederatedConnectionInput' responses: "200": content: application/json: schema: $ref: '#/components/schemas/FederatedConnection' description: The federated connection was created or updated successfully. "400": description: The request isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. /{tenant}/search/v2/connections/{connectionName}/refresh: parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/connectionName' post: description: | Refresh a federated connection to fetch new remote indexes and add/delete corresponding federated datasets. operationId: refreshFederatedConnection responses: "201": description: | The federated connection refresh was successful. "400": description: The request payload isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. /{tenant}/search/v2/connections/{connectionName}/test: parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/connectionName' post: description: | Test connection with remote EC instance using federated connection parameters. operationId: testFederatedConnection responses: "200": description: | Successfully able to contact EC stack with given federated connection parameters. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. /{tenant}/search/v2/datasets: get: description: Returns a list of all datasets. operationId: listDatasets responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListDatasets' description: The datasets were returned successfully. "400": description: The request isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/AuthorizationHeader' post: description: Creates a dataset. operationId: createDataset requestBody: content: application/json: schema: $ref: '#/components/schemas/DatasetPOST' responses: "201": content: application/json: schema: $ref: '#/components/schemas/Dataset' description: The dataset was created successfully. "400": description: The request isn’t valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. /{tenant}/search/v2/datasets/{datasetid}: delete: description: | Deletes a dataset with a specified dataset ID (datasetid). operationId: deleteDatasetById responses: "204": description: | The dataset with the specified dataset ID (datasetid) was deleted successfully. "400": description: The request isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. get: description: | Returns a dataset with a specified dataset ID (datasetid). operationId: getDatasetById responses: "200": content: application/json: schema: $ref: '#/components/schemas/Dataset' description: | The search job information for the specified datatset ID (datasetid) was returned successfully. "400": description: The request isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/datasetid' patch: description: | Modifies a dataset with a specified dataset ID (datasetid). operationId: updateDatasetById requestBody: content: application/json: schema: $ref: '#/components/schemas/DatasetPATCH' responses: "200": content: application/json: schema: $ref: '#/components/schemas/Dataset' description: The dataset was modified successfully. "400": description: The request isn't valid. "401": description: The user isn't authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs: get: description: Returns the matching list of search jobs. operationId: listJobs parameters: - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/StatusFilter' - $ref: '#/components/parameters/SidFilter' responses: "200": content: application/json: schema: items: $ref: '#/components/schemas/SearchJob' type: array description: The list of search jobs was returned successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/AuthorizationHeader' post: description: Creates a search job. operationId: createJob requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchJob' responses: "201": content: application/json: schema: $ref: '#/components/schemas/SearchJob' description: The search job was created successfully. "400": description: The request isn’t valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "412": description: The precondition check failed. The search query contains commands, thru or into, that have side effects. However, the 'allowSideEffects' query parameter is set to false. "429": description: Too many requests were sent. The limit for the maximum number of concurrent searches was reached. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}: get: description: Returns the search job with the specified search ID (SID). operationId: getJob responses: "200": content: application/json: schema: $ref: '#/components/schemas/SearchJob' description: The search job information for the specified search ID (SID) was returned successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' patch: description: Updates the search job with the specified search ID (SID) with an action. operationId: updateJob requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateJob' responses: "200": content: application/json: schema: $ref: '#/components/schemas/SearchJob' description: The search job status was modified successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}/export: get: description: Exports the search results for the job with the specified search ID (SID). Export the results as a CSV file or JSON file. operationId: exportResults parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/filename' - $ref: '#/components/parameters/outputMode' responses: "200": content: application/json: schema: type: object text/csv: schema: type: string description: The search results were exported in CSV or JSON format successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}/results: get: description: Returns the search results for the job with the specified search ID (SID). operationId: listResults parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/Field' responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListSearchResultsResponse' description: The list of search results was returned successfully. Any results that are ready have been returned. If there are additional results, a 'nextLink' URL is provided. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}/results-preview: get: description: Returns the preview search results for the job with the specified search ID (SID). Can be used when a job is running to return interim results. operationId: listPreviewResults parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/offset' responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListPreviewResultsResponse' description: The results preview was returned successfully. If there are additional results, a 'nextLink' URL is provided. "204": description: The results preview was returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}/timeline-metadata/auto/events-summary: get: description: Returns an events summary for search ID (SID) search. operationId: listEventsSummary parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/Field' - $ref: '#/components/parameters/Earliest' - $ref: '#/components/parameters/Latest' responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListSearchResultsResponse' description: The events summary was returned successfully. "204": description: The events summary was returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}/timeline-metadata/auto/fields-summary: get: description: Returns a fields stats summary of the events to-date, for search ID (SID) search. operationId: listFieldsSummary parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/Earliest' - $ref: '#/components/parameters/Latest' responses: "200": content: application/json: schema: $ref: '#/components/schemas/FieldsSummary' description: The fields summary was returned successfully. "204": description: The fields summary was returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/{sid}/timeline-metadata/auto/time-buckets: get: description: Returns the event distribution over time of the untransformed events read to-date, for search ID(SID) search. operationId: listTimeBuckets parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' responses: "200": content: application/json: schema: $ref: '#/components/schemas/TimeBucketsSummary' description: The timeline buckets were returned successfully. "204": description: The timeline buckets were returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2/jobs/delete: parameters: - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/tenant' post: description: | Creates a search job that deletes events from an index. The events are deleted from the index in the specified module, based on the search criteria as specified by the predicate. operationId: deleteJob requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteSearchJob' responses: "201": content: application/json: schema: $ref: '#/components/schemas/DeleteSearchJob' description: The delete search job was created successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. # Retrieved from scp-openapi commit 820564ba8a17697d087ff171b14cbad60a716ee3 path: search/v2/openapi.yaml