Create a new Search Job based on a search query string, and get the search results. Note: If the search time reaches the action timeout limit, the action will return a timeout error and the search job ID.

Basic Parameters

ParameterDescription
Ad Hoc Search LevelThe search level of the created search. For more information, refer to the Splunk Documentation.
Earliest TimeSpecify a time string. Sets the earliest (inclusive), respectively, time bounds for the search.
Execution ModeIf set to normal, runs an asynchronous search. If set to blocking, returns the sid when the job is complete. If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml. Does not return the search ID.
Latest TimeSpecify a time string. Sets the latest (exclusive), respectively, time bounds for the search.
Output Mode ResultsSpecifies the format for the returned output.
Search ModeIf set to realtime, search runs over live data. A real-time search may also be indicated by earliest_time and latest_time variables starting with ‘rt’ even if the search_mode is set to normal or is unset. For a real-time search, if both earliest_time and latest_time are both exactly ‘rt’, the search represents all appropriate live data received since the start of the search.
Search QueryThe search query the created job will run.

Advanced Parameters

ParameterDescription
Add Summary To MetadataSelect to include field summary statistics in the response.
Custom IDOptional string to specify the search ID (<sid>). If unspecified, a random ID is generated.

Example Output

{
	"fields": [
		{
			"name": "<string>"
		}
	],
	"highlighted": {},
	"init_offset": 1,
	"messages": [],
	"preview": false,
	"results": [
		{
			"ClientIP": "<string>"
		}
	],
	"sid": "<string>"
}

Workflow Library Example

Run Search with Splunk and Send Results Via Email

Preview this Workflow on desktop