SearchJobs
Create, query, update, and delete search jobs in Splunk.
Select
The driver will use the Splunk APIs to process the search Id (Sid) criteria specified in the WHERE clause. The Sid column supports server-side processing for the = operator. The driver processes other search criteria client-side within the driver.
SELECT * FROM SearchJobs SELECT * FROM SearchJobs WHERE Sid = '123456789.1234'You can turn off the client-side execution of the query by setting SupportEnhancedSQL to false in which case any search criteria that refers to other columns will cause an error or inconsistent data.
Insert
Splunk allows inserts only when EventSearch is specified. You can insert the Custom, EarliestTime, LatestTime, Label, and StatusBuckets columns and all pseudocolumns.
INSERT Into SearchJobs (Custom, EventSearch, LatestTime, Timeout) VALUES ('custom1=test1, custom2=test2', ' from datamodel SampleModel', 'now', '60')
Update
The SearchJobs table allows updates of the Custom column only when Sid is specified.
UPDATE SearchJobs SET Custom = 'custom1=test3, custom2=test4' WHERE sid = '123456789.1234'
Delete
SearchJobs can be deleted by providing the Sid.
DELETE FROM SearchJobs WHERE Sid = '123456789.1234'
Columns
Name | Type | ReadOnly | References | Description |
Sid [KEY] | String | False |
The search Id number. | |
EventSearch | String | False |
Subset of the entire search that is before any transforming commands. | |
Custom | String | False |
Custom job property. In an INSERT operation, pass the values as a comma-separated list of pairs of keys and values. | |
EarliestTime | String | False |
The earliest time a search job is configured to start. | |
LatestTime | String | False |
The latest time a search job is configured to start. | |
CursorTime | String | True |
The earliest time from which no events are later scanned. Can be used to indicate progress. | |
Delegate | String | True |
For saved searches, specifies jobs that were started by the user. Defaults to scheduler. | |
DiskUsage | Long | True |
The total amount of disk space used, in bytes. | |
DispatchState | String | True |
The state of the search. Can be any of QUEUED, PARSING, RUNNING, PAUSED, FINALIZING, FAILED, or DONE. | |
DoneProgress | Double | True |
A number between 0 and 1.0 that indicates the approximate progress of the search. doneProgress = (latestTime-cursorTime) / (latestTime-earliestTime) | |
DropCount | Integer | True |
For real-time searches only, the number of possible events that were dropped due to the rt_queue_size (defaults to 100000). | |
EventAvailableCount | Integer | True |
The number of events that are available for export. | |
EventCount | Integer | True |
The number of events returned by the search. | |
EventFieldCount | Integer | True |
The number of fields found in the search results. | |
EventIsStreaming | Boolean | True |
Indicates if the events of this search are being streamed. | |
EventIsTruncated | Boolean | True |
Indicates if the events of the search are not stored, making them unavailable from the events endpoint for the search. | |
EventPreviewableCount | Integer | True |
Number of in-memory events that are not yet committed to disk. | |
EventSorting | String | True |
Indicates if the events of this search are sorted, and in which order. | |
IsDone | Boolean | True |
Indicates if the search has completed. | |
IsEventsPreviewEnabled | String | True |
Indicates if the timeline_events_preview setting is enabled in limits.conf. | |
IsFailed | Boolean | True |
Indicates if there was a fatal error executing the search. For example, invalid search string syntax. | |
IsFinalized | Boolean | True |
Indicates if the search was finalized (stopped before completion). | |
IsPaused | Boolean | True |
Indicates if the search is paused. | |
IsPreviewEnabled | Boolean | True |
Indicates if previews are enabled. | |
IsRealTimeSearch | Boolean | True |
Indicates if the search is a real-time search. | |
IsRemoteTimeline | Boolean | True |
Indicates if the remote timeline feature is enabled. | |
IsSaved | Boolean | True |
Indicates that the search job is saved on disk. Search artifacts are saved on disk for 7 days from the last time that the job was viewed or touched. | |
IsSavedSearch | Boolean | True |
Indicates if this is a saved search run using the scheduler. | |
IsZombie | Boolean | True |
Indicates if the process running the search died without finishing the search. | |
Keywords | String | True |
All positive keywords used by this search. A positive keyword is a keyword that is not in a NOT clause. | |
Label | String | False |
Custom name created for this search. | |
Messages | String | True |
Errors and debug messages. | |
NumPreviews | Integer | True |
Number of previews generated so far for this search job. | |
Performance | String | True |
A representation of the execution costs. | |
Priority | Integer | True |
An integer between 0-10 that indicates the search priority. | |
RemoteSearch | String | True |
The search string that is sent to every search peer. | |
ReportSearch | String | True |
If reporting commands are used, the reporting search. | |
ResultCount | Integer | True |
The total number of results returned by the search. In other words, this is the subset of scanned events (represented by the ScanCount) that actually matches the search terms. | |
ResultIsStreaming | Boolean | True |
Indicates if the final results of the search are available using streaming (for example, no transforming operations). | |
ResultPreviewCount | Integer | True |
The number of result rows in the latest preview results. | |
RunDuration | Decimal | True |
Time in seconds that the search took to complete. | |
ScanCount | Integer | True |
The number of events that are scanned or read off disk. | |
SearchEarliestTime | Datetime | True |
Specifies the earliest time for a search, as specified in the search command rather than the EarliestTime parameter. It does not snap to the indexed data time bounds for all-time searches. | |
SearchLatestTime | Datetime | True |
Specifies the latest time for a search, as specified in the search command rather than the LatestTime parameter. It does not snap to the indexed data time bounds for all-time searches. | |
SearchProviders | String | True |
A list of all the search peers that were contacted. | |
StatusBuckets | Integer | False |
Maximum number of timeline buckets. | |
TTL | String | True |
The time to live, or the time before the search job expires after it completes. |
Pseudo-Columns
Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.
Name | Type | Description |
SearchMode | String |
Searching mode, realtime or normal. If set to realtime, the search runs over the live data. The allowed values are normal, realtime. |
EnableLookups | Boolean |
Indicates whether lookups should be applied to events. |
AutoPause | Integer |
If specified, the search job pauses after this many seconds of inactivity. (0 means never autopause.) |
AutoCancel | Integer |
If specified, the job automatically cancels after this many seconds of inactivity. (0 means never autocancel.) |
AdhocSearchLevel | Integer |
Specify a search mode. Use one of the following search modes: verbose, fast, or smart. The allowed values are verbose, fast, smart. |
ForceBundleReplication | Boolean |
Specifies whether this search should cause (and wait depending on the value of SyncBundleReplication) for bundle synchronization with all search peers. |
IndexEarliest | String |
Specify a time string. Sets the earliest inclusive time bounds for the search, based on the index time bounds. |
IndexLatest | String |
Specify a time string. Sets the latest exclusive time bounds for the search, based on the index time bounds. |
IndexedRealtime | Boolean |
Indicates whether or not to use the indexed-realtime mode for real-time searches. |
IndexedRealtimeOffset | Integer |
Sets disk sync delay for indexed real-time search (seconds). |
MaxCount | Integer |
The number of events that can be accessible in any given status bucket. |
MaxTime | Integer |
Comma-separated list of (possibly wildcarded) servers from which raw events should be pulled. |
Namespace | String |
The application namespace in which to restrict searches. |
Now | String |
Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time. You can specify a relative time modifier for this parameter. For example, specify +2d to specify the current time plus two days. |
ReduceFrequency | Integer |
Determines how frequently to run the MapReduce reduce phase on accumulated map values. |
ReloadMacros | Boolean |
Specifies whether to reload macro definitions from the configuration file. |
RemoteServerList | Integer |
The number of seconds to run this search before finalizing. Specify 0 to never finalize. |
ReplaySpeed | Integer |
Indicate a real-time search replay speed factor. For example, 1 indicates normal speed, 0.5 indicates half of normal speed, and 2 indicates twice as fast as normal. |
ReplayStartTime | String |
Relative wall-clock start time for the replay. |
ReplayEndTime | String |
Relative end time for the replay clock. The replay stops when the clock time reaches this time. |
ReuseMaxSecondsAgo | Integer |
Specifies the number of seconds ago to check when an identical search is started and return the search Id of the job instead of starting a new job. |
RequiredField | String |
Adds a required field to the search. |
RealTimeBlocking | Boolean |
For a real-time search, indicates if the indexer blocks if the queue for this search is full. |
RealTimeIndexFilter | Boolean |
For a real-time search, indicates if the indexer prefilters events. |
RealTimeMaxBlockSecs | Integer |
For a real-time search with RealTimeBlocking set to true, the maximum time to block. Specify 0 to indicate no limit. |
RealTimeQueueSize | Integer |
For a real-time search, the queue size (in events) that the indexer should use for this search. |
Timeout | Integer |
The number of seconds to keep this search after processing has stopped. |
SyncBundleReplication | String |
Specifies whether this search should wait for bundle replication to complete. |