Run search and fetch results from Splunk server.

profile=PROFILE

The identifier of Splunk connect profile

duration=NUM{mon|w|d|h|m|s}

Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.

from=yyyyMMddHHmmss

Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.

to=yyyyMMddHHmmss

End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.

[SPL]

This item is a required parameter, not an optional parameter, and the SPL (Splunk Processing Language) you want to execute must be entered in square brackets.

You can use $("variable_name") to reference variables in your search conditions. Functions are not supported inside brackets, and substitution occurs only when a $("variable_name") placeholder is present. If the specified variable name does not exist, it will be replaced with an empty value.

See the examples below for detailed usage:

Usage Examples

• splunk-search [ $("rest_query") ]
• splunk-search [ | rest /services/$("path1")/introspection/$("path2") ]
• splunk-search [ | rest /services/apps/$("path1") | search title=$("title_filter") | fields $("field1"), $("field2"), $("field3") ]

Output Fields

Output fields are determined by search query string.