Create a new Search Job based on a search query string, and get the search results. Note: If the search time reaches the action timeout limit, the action will return a timeout error and the search job ID. You can then use the returned SID with actions like Get Search Job By ID to check the job’s status (available under the entry.content.dispatchState key). Once the status is DONE, you can retrieve the results using the Get Search Job Results action.

Basic Parameters

ParameterDescription
Ad Hoc Search LevelThe search level of the created search. For more information, refer to the Splunk Documentation.
Earliest TimeSpecify a time string to set the inclusive start of the search.
Execution ModeSet to normal, in order to run an asynchronous search.

Set to blocking, in order to return the sid when the job is complete.
Latest TimeSpecify a time string to set the inclusive end of the search.
Output Mode ResultsSpecify the format for the returned output.
Search ModeSet to realtime to search live incoming data, or normal to run a one-time search over historical indexed data.
Search QueryThe search query the created job will run.

Advanced Parameters

ParameterDescription
Add Summary To MetadataSelect to include field summary statistics in the response.
Custom IDOptional string to specify the search ID (<sid>). If unspecified, a random ID is generated.

Example Output

{
	"fields": [
		{
			"name": "<string>"
		}
	],
	"highlighted": {},
	"init_offset": 1,
	"messages": [],
	"preview": false,
	"results": [
		{
			"ClientIP": "<string>"
		}
	],
	"sid": "<string>"
}

Workflow Library Example

Run Search with Splunk and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop