run_splunk_search
Execute complex Splunk searches with real-time progress tracking and detailed statistics. Monitor job status, retrieve results, and handle long-running queries efficiently.
Instructions
Run a Splunk search as a tracked job with progress and stats. Use this for complex or long‑running queries (joins, transforms, large scans) where you need job status, scan/event counts, and reliable result retrieval. Prefer this over oneshot when the query may exceed ~30s or requires progress visibility.
Outputs: job id, results (JSON), counts, timing, and job status. Security: results are constrained by the authenticated user's permissions.Args: query (str): The Splunk search query (SPL) to execute. Can be any valid SPL command or pipeline. Supports complex searches with transforming commands, joins, and subsearches. Examples: 'index=* | stats count by sourcetype', 'search error | eval severity=case(...)' earliest_time (str, optional): Search start time in Splunk time format. Examples: '-24h', '-7d@d', '2023-01-01T00:00:00' Default: '-24h' latest_time (str, optional): Search end time in Splunk time format. Examples: 'now', '-1h', '@d', '2023-01-01T23:59:59' Default: 'now'
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| query | Yes | ||
| earliest_time | No | -24h | |
| latest_time | No | now |