components: parameters: AuthorizationHeader: description: | Access token provided by the user (obtained from a known identity provider). in: header name: Authorization required: true schema: pattern: ^Bearer .+ type: string Count: description: | The maximum number of jobs that you want to return the status entries for. in: query name: count schema: default: 1000 type: integer Earliest: description: | The earliest time filter, in absolute time. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2019-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. in: query name: earliest schema: type: string Field: description: | A field to return for the result set. You can specify multiple fields of comma-separated values if multiple fields are required. in: query name: field schema: type: string Latest: description: | The latest time filter in absolute time. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2019-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. Latest time must be after Earliest time. in: query name: latest schema: type: string SidFilter: description: | Filter the list of jobs by sid. Valid format is `sid IN ({comma separated list of SIDs in quotes})`. A maximum of 30 SIDs can be specified in one query. in: query name: filter schema: type: string StatusFilter: description: | Filter the list of jobs by status. Valid status values are 'running', 'done', 'canceled', or 'failed'. in: query name: status schema: $ref: '#/components/schemas/SearchStatus' count: description: | The maximum number of entries to return. Set to 0 to return all available entries. in: query name: count schema: default: 30 type: integer filename: description: | The export results filename. Default: exportResults in: query name: filename schema: type: string offset: description: Index of first item to return. in: query name: offset schema: default: 0 type: integer outputMode: description: | Specifies the format for the returned output. in: query name: outputMode schema: enum: - csv - json type: string sid: description: The search ID. in: path name: sid required: true schema: type: string tenant: description: The system tenant ID. in: path name: tenant required: true schema: type: string schemas: DeleteSearchJob: description: A fully-constructed delete search job, including read-only fields. properties: allowSideEffects: default: true description: | Specifies that the delete search job will contain side effects, with possible security risks. readOnly: true type: boolean collectEventSummary: default: false description: | This field does not apply to delete search jobs and is defaulted to false. readOnly: true type: boolean collectFieldSummary: default: false description: | This field does not apply to delete search jobs and is defaulted to false. readOnly: true type: boolean collectTimeBuckets: default: false description: | This field does not apply to delete search jobs and is defaulted to false. readOnly: true type: boolean completionTime: description: | The time, in GMT, that the search job is finished. Empty if the search job has not completed. readOnly: true type: string dispatchTime: description: | The time, in GMT, that the search job is dispatched. readOnly: true type: string enablePreview: default: false description: | This field does not apply to delete search jobs and is defaulted to false. readOnly: true type: boolean extractAllFields: default: false description: | Specifies whether the Search service should extract all of the available fields in the data, including fields not mentioned in the SPL for the search job. Set to 'false' for better search performance. The 'extractAllFields' parameter is deprecated as of version v3alpha1. Although this parameter continues to function, it might be removed in a future version. Use the 'extractFields' parameter instead. type: boolean extractFields: default: "" description: | Specifies how the Search service should extract fields. Valid values include 'all', 'none', or 'indexed'. 'all' will extract all fields, 'indexed' will extract only indexed fields, and 'none' will extract only the default fields. This parameter overwrites the value of the 'extractAllFields' parameter. Set to 'none' for better search performance. type: string index: description: The index to delete events from. type: string maxTime: default: 3600 description: | The amount of time, in seconds, to run the delete search job before finalizing the search. The maximum value is 3600 seconds (1 hour). maximum: 3600 minimum: 1 type: integer messages: items: $ref: '#/components/schemas/Message' type: array module: description: The module to run the delete search job in. The default module is used if module field is empty. type: string name: description: The name of the created search job. maxLength: 100 readOnly: true type: string percentComplete: default: 0 description: An estimate of the percent of time remaining before the delete search job completes. readOnly: true type: integer predicate: description: The predicate expression that identifies the events to delete from the index. This expression must return true or false. To delete all events from the index, specify "true" instead of an expression. type: string previewAvailable: default: false description: This field does not apply to delete search jobs and is defaulted to false. readOnly: true type: string query: description: The SPL search string that is generated based on index, module and predicate that are specified. readOnly: true type: string queryParameters: allOf: - $ref: '#/components/schemas/QueryParameters' description: Represents parameters on the search job such as 'earliest' and 'latest'. requiredFreshness: default: 0 description: | This field does not apply to delete search jobs and is set to 0. readOnly: true type: integer resolvedEarliest: description: | The earliest time speciifed as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resolvedLatest: description: | The latest time specified as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resultsAvailable: default: 0 description: The number of results produced so far by the delete search job that are going to be deleted. readOnly: true type: integer resultsPreviewAvailable: default: 0 description: This field does not apply to delete search jobs and is defaulted to 0. readOnly: true type: integer sid: description: The ID assigned to the delete search job. readOnly: true type: string status: $ref: '#/components/schemas/SearchStatus' required: - index - module - predicate type: object Error: properties: code: type: string details: items: type: object type: array message: type: string type: object FieldsSummary: description: Fields statistics summary model of the events to-date, for search ID (sid). properties: duration: description: The amount of time, in seconds, that a time bucket spans from the earliest to the latest time. format: double type: number earliestTime: description: If specified, the earliest timestamp, in UTC format, of the events to process. type: string eventCount: description: The total number of events for all fields returned in the time range (earliestTime and latestTime) specified. type: integer fields: additionalProperties: $ref: '#/components/schemas/SingleFieldSummary' description: A map of the fields in the time range specified. type: object latestTime: description: If specified, the latest timestamp, in UTC format, of the events to process. type: string type: object ListPreviewResultsResponse: description: The structure of the response body for the preview search results that is returned for the job with the specified search ID (SID). When search is running, it might return incomplete or truncated search results. The isPreviewStable property indicates whether the returned preview results stucture is stable or not. Truncated preview results occur because the number of requested results exceeds the page limit. Follow the 'nextLink' URL to retrieve the next page of results. properties: fields: items: properties: dataSource: type: string groupbyRank: type: string name: type: string splitField: type: string splitValue: type: string splitbySpecial: type: string typeSpecial: type: string required: - name type: object type: array isPreviewStable: type: boolean messages: items: $ref: '#/components/schemas/Message' type: array nextLink: type: string results: items: type: object type: array wait: type: string required: - results - isPreviewStable type: object ListSearchResultsResponse: description: | The structure of the search results or events metadata that is returned for the job with the specified search ID (SID). When search is running, it might return incomplete or truncated search results. Incomplete search results occur when a search has not completed. Wait until search completes for full result set. Truncated search results occur because the number of requested results exceeds the page limit. Use the 'nextLink' URL to retrieve the next page of results. properties: fields: items: properties: dataSource: type: string groupbyRank: type: string name: type: string splitField: type: string splitValue: type: string splitbySpecial: type: string typeSpecial: type: string required: - name type: object type: array messages: items: $ref: '#/components/schemas/Message' type: array nextLink: type: string results: items: type: object type: array wait: type: string required: - results type: object Message: description: The message field in search results or search jobs. The types of messages are INFO, DEBUG, FATAL, and ERROR. properties: text: type: string type: enum: - INFO - DEBUG - FATAL - ERROR type: string QueryParameters: description: Represents parameters on the search job such as 'earliest' and 'latest'. properties: earliest: default: -24h@h description: | The earliest time, in absolute or relative format, to retrieve events. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2019-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. type: string latest: default: now description: | The latest time, in absolute or relative format, to retrieve events. When specifying an absolute time specify either UNIX time, or UTC in seconds using the ISO-8601 (%FT%T.%Q) format. For example 2019-01-25T13:15:30Z. GMT is the default timezone. You must specify GMT when you specify UTC. Any offset specified is ignored. type: string relativeTimeAnchor: default: The system time when the search job is created. description: | Relative values for the 'earliest' and 'latest' parameters snap to the unit that you specify. For example, if 'earliest' is set to -d@d, the unit is day. If the 'relativeTimeAnchor' is is set to '2020-10-05T13:15:30Z' then 'resolvedEarliest' is snapped to '2020-10-05T00:00:00Z', which is the day. Hours, minutes, and seconds are dropped. If no 'relativeTimeAnchor' is specified, the default value is set to the time the search job was created. format: date-time type: string timezone: description: | The timezone that relative time specifiers are based off of. Timezone only applies to relative time literals for 'earliest' and 'latest'. If UNIX time or UTC format is used for 'earliest' and 'latest', this field is ignored. For the list of supported timezone formats, see https://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps#zoneinfo_.28TZ.29_database type: string default: "GMT" type: object SearchJob: description: A fully-constructed search job, including read-only fields. properties: allowSideEffects: default: false description: | Specifies whether a search that contains commands with side effects (with possible security risks) is allowed to run. type: boolean collectEventSummary: default: false description: | Specified whether a search is allowed to collect events summary during the run time. type: boolean collectFieldSummary: default: false description: | Specified whether a search is allowed to collect Fields summary during the run time. type: boolean collectTimeBuckets: default: false description: | Specified whether a search is allowed to collect Timeline Buckets summary during the run time. type: boolean completionTime: description: | The time, in GMT, that the search job is finished. Empty if the search job has not completed. readOnly: true type: string dispatchTime: description: | The time, in GMT, that the search job is dispatched. readOnly: true type: string enablePreview: default: false description: | Specified whether a search is allowed to collect preview results during the run time. type: boolean extractAllFields: default: false description: | Specifies whether the Search service should extract all of the available fields in the data, including fields not mentioned in the SPL for the search job. Set to 'false' for better search performance. The 'extractAllFields' parameter is deprecated as of version v3alpha1. Although this parameter continues to function, it might be removed in a future version. Use the 'extractFields' parameter instead. type: boolean extractFields: default: "" description: | Specifies how the Search service should extract fields. Valid values include 'all', 'none', or 'indexed'. 'all' will extract all fields, 'indexed' will extract only indexed fields, and 'none' will extract only the default fields. This parameter overwrites the value of the 'extractAllFields' parameter. Set to 'none' for better search performance. type: string maxTime: default: 3600 description: | The number of seconds to run the search before finalizing the search. The maximum value is 3600 seconds (1 hour). maximum: 3600 minimum: 1 type: integer messages: items: $ref: '#/components/schemas/Message' type: array module: default: "" description: The module to run the search in. The default module is used if a module is not specified. type: string name: description: The name of the created search job. maxLength: 100 readOnly: true type: string percentComplete: default: 0 description: An estimate of the percent of time remaining before the job completes. readOnly: true type: integer previewAvailable: default: false description: Specifies if preview results for the search job are available. The valid status values are 'unknown', 'true', and 'false'. readOnly: true type: string query: description: The SPL search string. format: SPL2 type: string queryParameters: allOf: - $ref: '#/components/schemas/QueryParameters' description: Represents parameters on the search job such as 'earliest' and 'latest'. requiredFreshness: default: 0 description: | Specifies a maximum time interval, in seconds, between identical existing searches. The 'requiredFreshness' parameter is used to determine if an existing search with the same query and the same time boundaries can be reused, instead of running the same search again. Freshness is applied to the resolvedEarliest and resolvedLatest parameters. If an existing search has the same exact criteria as this search and the resolvedEarliest and resolvedLatest values are within the freshness interval, the existing search metadata is returned instead of initiating a new search job. By default, the requiredFreshness parameter is set to 0 which means that the platform does not attempt to use an existing search. maximum: 259200 minimum: 0 type: integer resolvedEarliest: description: | The earliest time speciifed as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resolvedLatest: description: | The latest time specified as an absolute value in GMT. The time is computed based on the values you specify for the 'timezone' and 'earliest' queryParameters. readOnly: true type: string resultsAvailable: default: 0 description: The number of results produced so far for the search job. readOnly: true type: integer resultsPreviewAvailable: default: 0 description: The number of the preview search results for the job with the specified search ID (SID) readOnly: true type: integer sid: description: The ID assigned to the search job. readOnly: true type: string status: $ref: '#/components/schemas/SearchStatus' required: - query type: object SearchStatus: description: | The current status of the search job. The valid status values are 'running', 'done', 'canceled', 'finalized' and 'failed'. enum: - running - done - canceled - failed - finalized type: string SingleFieldSummary: description: Summary of each field. properties: count: description: The total number of events that contain the field. type: integer distinctCount: description: The total number of unique values in the field. type: integer isExact: description: | Specifies if the distinctCount is accurate. The isExact property is FALSE when the distinctCount exceeds the maximum count and an exact count is not available. type: boolean max: description: The maximum numeric values in the field. type: string mean: description: The mean (average) for the numeric values in the field. format: double type: number min: description: The minimum numeric values in the field. type: string modes: description: An array of the values in the field. items: allOf: - $ref: '#/components/schemas/SingleValueMode' type: array numericCount: description: The count of the numeric values in the field. type: integer relevant: description: Specifies if the field was added or changed by the search. type: boolean stddev: description: The standard deviation for the numeric values in the field. format: double type: number type: object SingleTimeBucket: description: Events summary in single time bucket. properties: availableCount: description: Count of available events. Not all events in a bucket are retrievable. Typically this count is capped at 10000. type: integer duration: format: double type: number earliestTime: description: The timestamp of the earliest event in the current bucket, in UNIX format. This is the same time as 'earliestTimeStrfTime' in UNIX format. format: double type: number earliestTimeStrfTime: description: The timestamp of the earliest event in the current bucket, in UTC format with seconds. For example 2019-01-25T13:15:30Z, which follows the ISO-8601 (%FT%T.%Q) format. type: string isFinalized: description: Specifies if all of the events in the current bucket have been finalized. type: boolean totalCount: description: The total count of the events in the current bucket. type: integer readOnly: true type: object SingleValueMode: description: Single value summary of the field. properties: count: description: The number of occurences that the value appears in a field. type: integer isExact: description: | Specifies if the count is accurate. The isExact property is FALSE when the count exceeds the maximum count and an exact count is not available. type: boolean value: description: The value in the field. type: string type: object TimeBucketsSummary: description: | A timeline metadata model of the event distribution. The model shows the untransformed events that are read to date for a specific for search ID (sid). properties: IsTimeCursored: description: Specifies if the events are returned in time order. type: boolean buckets: items: allOf: - $ref: '#/components/schemas/SingleTimeBucket' type: array cursorTime: description: Identifies where the cursor is in processing the events. The cursorTime is a timestamp specified in UNIX time. type: number eventCount: description: The number of events processed at the cursorTime. type: integer type: object UpdateJob: description: Update a search job with a status. properties: status: description: The status to PATCH to an existing search job. The only status values you can PATCH are 'canceled' and 'finalized'. You can PATCH the 'canceled' status only to a search job that is running. enum: - canceled - finalized type: string required: - status type: object securitySchemes: BasicAuth: scheme: basic type: http info: description: Use the Search service in Splunk Cloud Services to dispatch, review, and manage searches and search jobs. You can finalize or cancel jobs, retrieve search results, and request search-related configurations from the Metadata Catalog service in Splunk Cloud Services. title: Splunk Search service version: v2beta1.1 openapi: 3.0.0 paths: /{tenant}/search/v2beta1/jobs: get: description: Return the matching list of search jobs. operationId: listJobs parameters: - $ref: '#/components/parameters/Count' - $ref: '#/components/parameters/StatusFilter' - $ref: '#/components/parameters/SidFilter' responses: "200": content: application/json: schema: items: $ref: '#/components/schemas/SearchJob' type: array description: The list of search jobs was returned successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/AuthorizationHeader' post: description: Creates a search job. operationId: createJob requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchJob' responses: "201": content: application/json: schema: $ref: '#/components/schemas/SearchJob' description: The search job was created successfully. "400": description: The request isn’t valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "412": description: The precondition check failed. The search query contains commands, thru or into, that have side effects. However, the 'allowSideEffects' query parameter is set to false. "429": description: Too many requests were sent. The limit for the maximum number of concurrent searches was reached. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}: get: description: Return the search job with the specified search ID (SID). operationId: getJob responses: "200": content: application/json: schema: $ref: '#/components/schemas/SearchJob' description: The search job information for the specified search ID (SID) was returned successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. parameters: - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' patch: description: Update the search job with the specified search ID (SID) with an action. operationId: updateJob requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateJob' responses: "200": content: application/json: schema: $ref: '#/components/schemas/SearchJob' description: The search job status was modified successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}/export: get: description: Export the search results for the job with the specified search ID (SID). Export the results as a csv file or json file. operationId: exportResults parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/filename' - $ref: '#/components/parameters/outputMode' responses: "200": content: application/json: schema: type: object text/csv: schema: type: string description: Export the search results in csv or json format "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}/results: get: description: Return the search results for the job with the specified search ID (SID). operationId: listResults parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/Field' responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListSearchResultsResponse' description: The list of search results was returned successfully. Any results that are ready have been returned. If there are additional results, a 'nextLink' URL is provided. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}/results-preview: get: description: Return the preview search results for the job with the specified search ID (SID). Can be used when a job is running to return interim results. operationId: listPreviewResults parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/offset' responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListPreviewResultsResponse' description: The results preview was returned successfully. If there are additional results, a 'nextLink' URL is provided. "204": description: The results preview was returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}/timeline-metadata/auto/events-summary: get: description: Return events summary, for search ID (SID) search. operationId: listEventsSummary parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/Field' - $ref: '#/components/parameters/Earliest' - $ref: '#/components/parameters/Latest' responses: "200": content: application/json: schema: $ref: '#/components/schemas/ListSearchResultsResponse' description: The events summary was returned successfully. "204": description: The events summary was returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}/timeline-metadata/auto/fields-summary: get: description: Return fields stats summary of the events to-date, for search ID (SID) search. operationId: listFieldsSummary parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' - $ref: '#/components/parameters/Earliest' - $ref: '#/components/parameters/Latest' responses: "200": content: application/json: schema: $ref: '#/components/schemas/FieldsSummary' description: The fields summary was returned successfully. "204": description: The fields summary was returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/{sid}/timeline-metadata/auto/time-buckets: get: description: Return event distribution over time of the untransformed events read to-date, for search ID(SID) search. operationId: listTimeBuckets parameters: - $ref: '#/components/parameters/tenant' - $ref: '#/components/parameters/sid' responses: "200": content: application/json: schema: $ref: '#/components/schemas/TimeBucketsSummary' description: The timeline buckets were returned successfully. "204": description: The timeline buckets were returned successfully, but there is no response content. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. /{tenant}/search/v2beta1/jobs/delete: parameters: - $ref: '#/components/parameters/AuthorizationHeader' - $ref: '#/components/parameters/tenant' post: description: | Creates a search job that deletes events from an index. The events are deleted from the index in the specified module, based on the search criteria as specified by the predicate. operationId: deleteJob requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteSearchJob' responses: "201": content: application/json: schema: $ref: '#/components/schemas/DeleteSearchJob' description: The delete search job was created successfully. "400": description: The request isn't valid. "401": description: The user isn’t authenticated. "403": description: The operation isn't authorized. "404": description: The resource wasn't found. "500": description: An internal service error occurred. # Retrieved from scp-openapi commit 820564ba8a17697d087ff171b14cbad60a716ee3 path: search/v2beta1/openapi.yaml