How to work with saved searches using the Splunk SDK for Java

The most fundamental feature in Splunk Enterprise is searching your data. But before diving into the details of how to use the SDK to search, let's clarify the terms:

  • A search query is a set of commands and functions you use to retrieve events from an index or a real-time stream, for example: search * | head 10.
  • A saved search is a search query that has been saved to be used again and can be set up to run on a regular schedule. The results from the search are not saved with the query.
  • A search job is an instance of a completed or still-running search operation, along with the results. A search ID is returned when you create a job, allowing you to access the results of the search when they become available. Search results are returned in XML (the default for Java), JSON, JSON_ROWS, JSON_COLS, or CSV format.

This topic focuses on working with saved searches. For more about working with search jobs, see How to run searches and display results.

This topic contains the following sections:

The saved search APIs

The classes for working with saved searches are:

Access these classes through an instance of the Service class. Retrieve a collection, and from there you can access individual items in the collection and create new ones. For example, here's a simplified program for getting a collection of saved searches and creating a new one:

// Connect to Splunk Enterprise
Service service = Service.connect(connectArgs);

// Retrieves the collection of saved searches
SavedSearchCollection savedSearches = service.getSavedSearches();

// Creates a saved search
SavedSearch savedSearch = savedSearches.create(name, query);

// Another way to create a saved search
SavedSearch savedSearch = service.getSavedSearches().create(name, query);

Code examples

This section provides examples of how to use the search APIs, assuming you first connect to a Splunk Enterprise instance:

To list saved searches

This example shows how to retrieve and list the saved searches in the saved search collection. If you don't explicitly specify a namespace, the current one is used.

// List all saved searches for the current namespace
SavedSearchCollection savedSearches = service.getSavedSearches();
System.out.println(savedSearches.size() + " saved searches are available to the current user:\n");
for (SavedSearch entity : savedSearches.values()) {
    System.out.println("     " + entity.getName());
}

To retrieve a collection for a specific namespace―for example, to list the saved searches available to a specific username―provide the namespace as arguments to the Service.getSavedSearches method.

This example retrieves the collection of users and lists the saved searches for the last username in the collection (just to show a user other than "admin"):

// Get the collection of users and save the name of the last user
UserCollection users = service.getUsers();
String lastUser = null;
for (User user : users.values()) {
    lastUser = user.getName();
}

// Specify a namespace using the name of the last user
ServiceArgs namespace = new ServiceArgs();
namespace.setApp("search");
namespace.setOwner(lastUser);
SavedSearchCollection savedSearches2 = service.getSavedSearches(namespace);

System.out.println(savedSearches2.size() + " saved searches are available to '" + lastUser + "':\n");
for (SavedSearch search : savedSearches2.values()) {
    System.out.println("     " + search.getName());
}

To view the history of a saved search

The history of a saved search contains the past and current instances (jobs) of the search. This example shows the history for all the saved searches in the current collection:

// Retrieve the collection of saved searches
SavedSearchCollection savedSearches = service.getSavedSearches();

// Iterate through the collection of saved searches and display the history for each one
for (SavedSearch entity : savedSearches.values()) {
    Job[] sHistory = entity.history();
    System.out.println("\n" + sHistory.length + " jobs for the '" + entity.getName() + "' saved search");
    for (int i = 0; i < sHistory.length; ++i) {
        System.out.println("     " + sHistory[i].getEventCount() + " events for Search ID " + sHistory[i].getSid() + "\n");
    }
}

To create a saved search

When you create a saved search, at a minimum you need to provide a search query and a name for the search. Then you have a couple of options for how to set properties for the saved search:

  • Use the setter methods. The setter methods are the easiest way to set and modify properties, but they aren't available until after the saved search has been created. See the next section for more about modifying a saved search.
  • Create an argument map of key-value pairs. Creating an argument map is the only way to set properties at the same time you create a saved search, but it requires a little more work to look up properties and provide values in the correct format. For a list of possible properties, see Saved search parameters.

This example shows how to create a simple saved search:

// Create a saved search by specifying a name and search query
// Note: Do not include the 'search' keyword for a saved search
String myQuery = "* | head 10"; 
String mySearchName = "Test Search";
SavedSearch savedSearch = service.getSavedSearches().create(mySearchName, myQuery);
System.out.println("The search '" + savedSearch.getName() + 
        "' (" + savedSearch.getSearch() + ") was saved");

To view and modify the properties of a saved search

This example shows how to view the properties of the new saved search:

// Retrieve the search that was just created
SavedSearch savedSearch = service.getSavedSearches().get("Test Search");

// Display some properties of the new search
System.out.println("Properties for '" + savedSearch.getName() + "':\n\n" +
        "Description:         " + savedSearch.getDescription() + "\n" +
        "Scheduled:           " + savedSearch.isScheduled() + "\n" +
        "Next scheduled time: " + savedSearch.getNextScheduledTime() + "\n"
        );

To set properties, use the SavedSearch setter methods, which set the properties on your local, cached copy of the object. To make these changes to the server, call the update method.

This example shows how to set the description and schedule the saved search in cron format:

// Retrieve the new saved search
SavedSearch savedSearch = service.getSavedSearches().get("Test Search");

// Set the properties and schedule
savedSearch.setDescription("This is a test search");
savedSearch.setIsScheduled(true); 
savedSearch.setCronSchedule("15 4 * * 6"); 

// Update the server with changes
savedSearch.update();

System.out.println("New properties for '" + savedSearch.getName()
        + "':\n\n" + "Description:         "
        + savedSearch.getDescription() + "\n" + "Scheduled:           "
        + savedSearch.isScheduled() + "\n" + "Next scheduled time: "
        + savedSearch.getNextScheduledTime() + "\n");

To run a saved search

Running a saved search creates a search job that is scheduled to run right away. Use the SavedSearch.dispatch method to run a saved search, which returns a Job object that corresponds to the search job. The Job object gives you access to information about the search job, such as the search ID, the status of the search, and the search results once the search job has finished.

The dispatch method takes these optional parameters:

  • dispatch.now: A time string that is used to dispatch the search as though the specified time were the current time.
  • dispatch.*: Overwrites the value of the search field specified in *.
  • trigger_actions: A Boolean that indicates whether to trigger alert actions.
  • force_dispatch: A Boolean that indicates whether to start a new search if another instance of this search is already running.

You can either set these properties using the SavedSearchDispatchArgs class or by using the generic Args class and passing these parameters as key-value pairs.

This example runs the search that was created in the previous example and shows how to poll the status to determine when the search has completed:

// Retrieve the new saved search
SavedSearch savedSearch = service.getSavedSearches().get("Test Search");

// Run a saved search and poll for completion
System.out.println("Run the '" + savedSearch.getName() + "' search ("
        + savedSearch.getSearch() + ")\n");
Job jobSavedSearch = null;

// Run the saved search
try {
    jobSavedSearch = savedSearch.dispatch();
} catch (InterruptedException e1) {
    e1.printStackTrace();
}

System.out.println("Waiting for the job to finish...\n");

// Wait for the job to finish
while (!jobSavedSearch.isDone()) {
    try {
        Thread.sleep(500);
    } catch (InterruptedException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

Once the search has finished, retrieve the search results from the Job object. For more, see How to display search results.

To run a saved search with run-time arguments

If you want to save a search containing a search keyword or field value that will not be known until you actually run the saved search, you can use a variable in the saved search query. Then when you run the saved search, specify the value of that variable in an argument map (create it using the SavedSearchDispatchArgs class) and pass that map to the SavedSearch.dispatch(args) method.

You can also specify additional search attributes at run time (such as time modifiers) as dispatch arguments. Some of these attributes can be set using setter methods of the SavedSearchDispatchArgs class. If the attribute you want to set doesn't have a setter method, just set the attribute as a key-value pair in the dispatch argument map.

The example below shows how to set run-time variables, starting with a simple query for a saved search:

search index=_internal sourcetype=splunkd_access

But let's say you won't know which source type to search on until run time. In that case, you can add a variable "mysourcetype" in the format $args.variablename$ (the variable name must be prefixed with "args."). The search query becomes:

search index=_internal sourcetype=$args.mysourcetype$

After saving the search, the example creates an argument map using a mix of SavedSearchDispatchArgs setter methods and key-value pairs. Then, the saved search is run using the SavedSearch.dispatch(args) method.

// Create a saved search that has a variable for sourcetype
String myQuery = "index=_internal sourcetype=$args.mysourcetype$"; 
String mySearchName = "Test Search Args";
SavedSearch savedSearch = service.getSavedSearches().create(mySearchName, myQuery);

// Set the arguments for dispatching the saved search
SavedSearchDispatchArgs dispatchArgs = new SavedSearchDispatchArgs();

// These attributes have setter methods
dispatchArgs.setDispatchEarliestTime("-20m@m");
dispatchArgs.setDispatchLatestTime("now");

// The value of the field variable "mysourcetype" is also set as a key-value pair
dispatchArgs.add("args.mysourcetype", "splunkd");


// Run the saved search with the dispatch arguments
Job job = null;
try {
    job = savedSearch.dispatch(dispatchArgs);
} catch (InterruptedException e1) {
    // TODO Auto-generated catch block
    e1.printStackTrace();
}

System.out.println("Waiting for the job to finish...");

// Wait for the job to finish
while (!job.isDone()) {
    try {
        Thread.sleep(500);
    } catch (InterruptedException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    System.out.println("Done! The job finished with " + job.getEventCount() + " events.");
}

To delete a saved search

You can delete a saved search using the Entity.remove method, or delete it from the collection by using the ResourceCollection.remove(name) method. Any jobs for the saved search are not deleted.

This example shows how to delete a saved search using the Entity.remove method:

// Retrieve a saved search
SavedSearch savedSearch = service.getSavedSearches().get("Test Search");

// Delete the saved search
savedSearch.remove();

Parameters

The following parameters are available for saved searches:

Collection parameters

The parameters below are available when retrieving a collection of saved searches.

By default, all entities are returned when you retrieve a collection. Using the parameters below, you can specify the number of entities to return, how to sort them, and so on. Set these parameters using setters from the SavedSearchCollectionArgs class or create a generic Args map:

ParameterDescription
countA number that indicates the maximum number of entries to return. A value of 0 means all entries are returned.
earliest_timeA string that contains all the scheduled times starting from this time (not just the next run time).
latest_timeA string that contains all the scheduled times until this time.
offsetA number that specifies the index of the first item to return.
For oneshot inputs, this value refers to the current position in the source file, indicating how much of the file has been read.
searchA string that specifies a search expression to filter the response with, matching field values against the search expression. For example, "search=foo" matches any object that has "foo" as a substring in a field, and "search=field_name%3Dfield_value" restricts the match to a single field.
sort_dirAn enum value that specifies how to sort entries. Valid values are "asc" (ascending order) and "desc" (descending order).
sort_keyA string that specifies the field to sort by.
sort_modeAn enum value that specifies how to sort entries. Valid values are "auto", "alpha" (alphabetically), "alpha_case" (alphabetically, case sensitive), or "num" (numerically).

Saved search parameters

The properties that are available for saved searches correspond to the parameters for the saved/searches endpoint in the REST API.

This table summarizes the properties you can set for a saved search. While you can use setter methods to modify existing properties, you can only set them at the same time that you create a saved search by providing a map of property key-value pairs.

This example shows how to do that by setting a "description" property while creating a saved search:

// Create an argument map with properties for a new saved search
Args savedSearchArgs = new Args();
savedSearchArgs.put("description", "This is my test search");
SavedSearch savedSearch = service.getSavedSearches().create("My Test Search", 
        "search * | head 5", savedSearchArgs);
ParameterDescription
nameRequired. A string that contains the name of the saved search.
searchRequired. A string that contains the search query.
action.*A string with wildcard arguments to specify specific action arguments.
action.emailA Boolean that indicates the state of the email alert action. Read only.
action.email.auth_passwordA string that specifies the password to use when authenticating with the SMTP server. Normally this value is set while editing the email settings, but you can set a clear text password here that is encrypted when Splunk Enterprise is restarted.
action.email.auth_usernameA string that specifies the username to use when authenticating with the SMTP server. If this is empty string, authentication is not attempted.
action.email.bccA string that specifies the BCC email address to use if "action.email" is enabled.
action.email.ccA string that specifies the CC email address to use if "action.email" is enabled.
action.email.commandA string that contains the search command (or pipeline) for running the action.
action.email.formatAn enum value that indicates the format of text and attachments in the email ("plain", "html", "raw", or "csv"). Use "plain" for plain text.
action.email.fromA string that specifies the email sender's address.
action.email.hostnameA string that specifies the hostname used in the web link (URL) that is sent in email alerts. Valid forms are "hostname" and "protocol://hostname:port".
action.email.inlineA Boolean that indicates whether the search results are contained in the body of the email.
action.email.mailserverA string that specifies the address of the MTA server to be used to send the emails.
action.email.maxresultsThe maximum number of search results to send when "action.email" is enabled.
action.email.maxtimeA number indicating the maximum amount of time an email action takes before the action is canceled. The valid format is number followed by a time unit ("s", "m", "h", or "d"), for example "5d".
action.email.pdfviewA string that specifies the name of the view to deliver if "action.email.sendpdf" is enabled.
action.email.preprocess_resultsA string that specifies how to pre-process results before emailing them.
action.email.reportCIDFontListMembers of an enumeration in a space-separated list specifying the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.
action.email.reportIncludeSplunkLogoA Boolean that indicates whether to include the Splunk logo with the report.
action.email.reportPaperOrientationAn enum value that indicates the paper orientation ("portrait" or "landscape").
action.email.reportPaperSizeAn enum value that indicates the paper size for PDFs ("letter", "legal", "ledger", "a2", "a3", "a4", or "a5").
action.email.reportServerEnabledA Boolean that indicates whether the PDF server is enabled.
action.email.reportServerURLA string that contains the URL of the PDF report server, if one is set up and available on the network.
action.email.sendpdfA Boolean that indicates whether to create and send the results as a PDF.
action.email.sendresultsA Boolean that indicates whether to attach search results to the email.
action.email.subjectA string that specifies the subject line of the email.
action.email.toA string that contains a comma- or semicolon-delimited list of recipient email addresses. Required if this search is scheduled and "action.email" is enabled.
action.email.track_alertA Boolean that indicates whether running this email action results in a trackable alert.
action.email.ttlThe number of seconds indicating the minimum time-to-live (ttl) of search artifacts if this email action is triggered. If the value is a number followed by "p", it is the number of scheduled search periods.
action.email.use_sslA Boolean that indicates whether to use secure socket layer (SSL) when communicating with the SMTP server.
action.email.use_tlsA Boolean that indicates whether to use transport layer security (TLS) when communicating with the SMTP server.
action.email.width_sort_columnsA Boolean that indicates whether columns should be sorted from least wide to most wide, left to right. This value is only used when "action.email.format"="plain", indicating plain text.
action.populate_lookupA Boolean that indicates the state of the populate-lookup alert action. Read only.
action.populate_lookup.commandA string that specifies the search command (or pipeline) to run the populate-lookup alert action.
action.populate_lookup.destA string that specifies the name of the lookup table or lookup path to populate.
action.populate_lookup.hostnameA string that specifies the host name used in the web link (URL) that is sent in populate-lookup alerts. Valid forms are "hostname" and "protocol://hostname:port".
action.populate_lookup.maxresultsThe maximum number of search results to send in populate-lookup alerts.
action.populate_lookup.maxtimeThe number indicating the maximum amount of time an alert action takes before the action is canceled. The valid format is number followed by a time unit ("s", "m", "h", or "d").
action.populate_lookup.track_alertA Boolean that indicates whether running this populate-lookup action results in a trackable alert.
action.populate_lookup.ttlThe number of seconds indicating the minimum time-to-live (ttl) of search artifacts if this populate-lookup action is triggered. If the value is a number followed by "p", it is the number of scheduled search periods.
action.rssA Boolean that indicates the state of the RSS alert action. Read only.
action.rss.commandA string that contains the search command (or pipeline) that runs the RSS alert action.
action.rss.hostnameA string that contains the host name used in the web link (URL) that is sent in RSS alerts. Valid forms are "hostname" and "protocol://hostname:port".
action.rss.maxresultsThe maximum number of search results to send in RSS alerts.
action.rss.maxtimeThe maximum amount of time an RSS alert action takes before the action is canceled. The valid format is number followed by a time unit ("s", "m", "h", or "d").
action.rss.track_alertA Boolean that indicates whether running this RSS action results in a trackable alert.
action.rss.ttlThe number of seconds indicating the minimum time-to-live (ttl) of search artifacts if this RSS action is triggered. If the value is a number followed by "p", it is the number of scheduled search periods.
action.scriptA Boolean that indicates the state of the script alert action. Read only.
action.script.commandA string that contains the search command (or pipeline) that runs the script action.
action.script.filenameA string that specifies the file name of the script to call, which is required if "action.script" is enabled.
action.script.hostnameA string that specifies the hostname used in the web link (URL) that is sent in script alerts. Valid forms are "hostname" and "protocol://hostname:port".
action.script.maxresultsThe maximum number of search results to send in script alerts.
action.script.maxtimeThe maximum amount of time a script action takes before the action is canceled. The valid format is number followed by a time unit ("s", "m", "h", or "d").
action.script.track_alertA Boolean that indicates whether running this script action results in a trackable alert.
action.script.ttlThe number of seconds indicating the minimum time-to-live (ttl) of search artifacts if this script action is triggered. If the value is a number followed by "p", it is the number of scheduled search periods.
action.summary_indexA Boolean that indicates the state of the summary index alert action. Read only.
action.summary_index._nameA string that specifies the name of the summary index where the results of the scheduled search are saved.
action.summary_index.commandA string that contains the search command (or pipeline) that runs the summary-index action.
action.summary_index.hostnameA string that specifies the hostname used in the web link (URL) that is sent in summary-index alerts. Valid forms are "hostname" and "protocol://hostname:port".
action.summary_index.inlineA Boolean that indicates whether to run the summary indexing action as part of the scheduled search.
action.summary_index.maxresultsThe maximum number of search results to send in summary-index alerts.
action.summary_index.maxtimeA number indicating the maximum amount of time a summary-index action takes before the action is canceled. The valid format is number followed by a time unit ("s", "m", "h", or "d"), for example "5d".
action.summary_index.track_alertA Boolean that indicates whether running this summary-index action results in a trackable alert.
action.summary_index.ttlThe number of seconds indicating the minimum time-to-live (ttl) of search artifacts if this summary-index action is triggered. If the value is a number followed by "p", it is the number of scheduled search periods.
actionsA string that contains a comma-delimited list of actions to enable, for example "rss,email".
alert.digest_modeA Boolean that indicates whether Splunk Enterprise applies the alert actions to the entire result set or digest ("true"), or to each individual search result ("false").
alert.expiresThe amount of time to show the alert in the dashboard. The valid format is number followed by a time unit ("s", "m", "h", or "d").
alert.severityA number that indicates the alert severity level (1=DEBUG, 2=INFO, 3=WARN, 4=ERROR, 5=SEVERE, 6=FATAL).
alert.suppressA Boolean that indicates whether alert suppression is enabled for this scheduled search.
alert.suppress.fieldsA string that contains a comma-delimited list of fields to use for alert suppression.
alert.suppress.periodA value that indicates the alert suppression period, which is only valid when "Alert.Suppress" is enabled. The valid format is number followed by a time unit ("s", "m", "h", or "d").
alert.trackAn enum value that indicates how to track the actions triggered by this saved search. Valid values are: "true" (enabled), "false" (disabled), and "auto" (tracking is based on the setting of each action).
alert_comparatorA string that contains the alert comparator. Valid values are: "greater than", "less than", "equal to", "rises by", "drops by", "rises by perc", and "drops by perc".
alert_conditionA string that contains a conditional search that is evaluated against the results of the saved search.
alert_thresholdA value to compare to before triggering the alert action. Valid values are: integer or integer%. If this value is expressed as a percentage, it indicates the value to use when "alert_comparator" is set to "rises by perc" or "drops by perc".
alert_typeA string that indicates what to base the alert on. Valid values are: "always", "custom", "number of events", "number of hosts", and "number of sources". This value is overridden by "alert_condition" if specified.
args.*A string containing wildcard arguments for any saved search template argument, such as "args.username"="foobar" when the search is search $username$.
auto_summarizeA Boolean that indicates whether the scheduler ensures that the data for this search is automatically summarized.
auto_summarize.commandA string that contains a search template that constructs the auto summarization for this search.
auto_summarize.cron_scheduleA string that contains the cron schedule for probing and generating the summaries for this saved search.
auto_summarize.dispatch.earliest_timeA string that specifies the earliest time for summarizing this saved search. The time can be relative or absolute; if absolute, use the "dispatch.time_format" parameter to format the value.
auto_summarize.dispatch.latest_timeA string that contains the latest time for summarizing this saved search. The time can be relative or absolute; if absolute, use the "dispatch.time_format" parameter to format the value.
auto_summarize.dispatch.ttlThe number of seconds indicating the time to live (in seconds) for the artifacts of the summarization of the scheduled search. If the value is a number followed by "p", it is the number of scheduled search periods.
auto_summarize.max_disabled_bucketsA number that specifies the maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for the "auto_summarize.suspend_period" parameter.
auto_summarize.max_summary_ratioA number that specifies the maximum ratio of summary size to bucket size, which specifies when to stop summarization and deem it unhelpful for a bucket. The test is only performed if the summary size is larger than the value of "auto_summarize.max_summary_size".
auto_summarize.max_summary_sizeA number that specifies the minimum summary size, in bytes, before testing whether the summarization is helpful.
auto_summarize.max_timeA number that specifies the maximum time (in seconds) that the summary search is allowed to run. Note that this is an approximate time because the summary search stops at clean bucket boundaries.
auto_summarize.suspend_periodA string that contains the time indicating when to suspend summarization of this search if the summarization is deemed unhelpful.
auto_summarize.timespanA string that contains a comma-delimited list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available.
cron_scheduleA string that contains the cron-style schedule for running this saved search.
descriptionA string that contains a description of this saved search.
disabledA Boolean that indicates whether the saved search is enabled.
dispatch.*A string that specifies wildcard arguments for any dispatch-related argument.
dispatch.bucketsThe maximum number of timeline buckets.
dispatch.earliest_timeA time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use "dispatch.time_format" to format the value.
dispatch.latest_timeA time string that specifies the latest time for this saved search. Can be a relative or absolute time. If this value is an absolute time, use "dispatch.time_format" to format the value.
dispatch.lookupsA Boolean that indicates whether lookups for this search are enabled.
dispatch.max_countThe maximum number of results before finalizing the search.
dispatch.max_timeThe maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freqThe number of seconds indicating how frequently Splunk Enterprise runs the MapReduce reduce phase on accumulated map values.
dispatch.rt_backfillA Boolean that indicates whether to back fill the real-time window for this search. This value is only used for a real-time search.
dispatch.spawn_processA Boolean that indicates whether Splunk Enterprise spawns a new search process when running this saved search.
dispatch.time_formatA string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttlThe number indicating the time to live (ttl) for artifacts of the scheduled search (the time before the search job expires and artifacts are still available), if no alerts are triggered. If the value is a number followed by "p", it is the number of scheduled search periods.
displayviewA string that contains the default UI view name (not label) in which to load the results.
is_scheduledA Boolean that indicates whether this saved search runs on a schedule.
is_visibleA Boolean that indicates whether this saved search is visible in the saved search list.
max_concurrentThe maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_timeA string that indicates the next scheduled time for this saved search. Read only.
qualifiedSearchA string that is computed during run time. Read only.
realtime_scheduleA Boolean that specifies how the scheduler computes the next time a scheduled search is run:
  • When "true": The schedule is based on the current time. The scheduler might skip some scheduled periods to make sure that searches over the most recent time range are run.
  • When "false": The schedule is based on the last search run time (referred to as "continuous scheduling") and the scheduler never skips scheduled periods. However, the scheduler might fall behind depending on its load. Use continuous scheduling whenever you enable the summary index option ("action.summary_index").

The scheduler tries to run searches that have real-time schedules enabled before running searches that have continuous scheduling enabled.

request.ui_dispatch_appA string that contains the name of the app in which Splunk Enterprise dispatches this search.
request.ui_dispatch_viewA string that contains the name of the view in which Splunk Enterprise dispatches this search.
restart_on_searchpeer_addA Boolean that indicates whether a real-time search managed by the scheduler is restarted when a search peer becomes available for this saved search. The peer can be one that is newly added or one that has become available after being down.
run_on_startupA Boolean that indicates whether this search is run when Splunk Enterprise starts. If the search is not run on startup, it runs at the next scheduled time. It is recommended that you set this value to "true" for scheduled searches that populate lookup tables.
vsidA string that contains the view state ID that is associated with the view specified in the "displayview" attribute.