Run Search - Blink Documentation

Create a new Search Job based on a search query string, and get the search results. Note: If the search time reaches the action timeout limit, the action will return a timeout error and the search job ID. You can then use the returned SID with actions like Get Search Job By ID to check the job’s status (available under the entry.content.dispatchState key). Once the status is DONE, you can retrieve the results using the Get Search Job Results action.

Basic Parameters

Parameter	Description
Ad Hoc Search Level	The search level of the created search. For more information, refer to the Splunk Documentation.
Earliest Time	Specify a time string to set the inclusive start of the search.
Execution Mode	Set to `normal`, in order to run an asynchronous search. Set to `blocking`, in order to return the sid when the job is complete.
Latest Time	Specify a time string to set the inclusive end of the search.
Output Mode Results	Specify the format for the returned output.
Search Mode	Set to `realtime` to search live incoming data, or `normal` to run a one-time search over historical indexed data.
Search Query	The search query the created job will run.

Advanced Parameters

Parameter	Description
Add Summary To Metadata	Select to include field summary statistics in the response.
Custom ID	Optional string to specify the search ID (`<sid>`). If unspecified, a random ID is generated.

Example Output

{
	"fields": [
		{
			"name": "<string>"
		}
	],
	"highlighted": {},
	"init_offset": 1,
	"messages": [],
	"preview": false,
	"results": [
		{
			"ClientIP": "<string>"
		}
	],
	"sid": "<string>"
}

Workflow Library Example

Run Search with Splunk and Send Results Via Email

Preview this Workflow on desktop

Integrations

​Basic Parameters

​Advanced Parameters

​Example Output

​Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example