/*
* Copyright 2013 Splunk, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"): you may
* not use this file except in compliance with the License. You may obtain
* a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
namespace Splunk
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
///
/// The class represents a saved search.
///
public class SavedSearch : Entity
{
///
/// Initializes a new instance of the class.
///
/// The connected service.
/// The path.
public SavedSearch(Service service, string path)
: base(service, path)
{
}
///
/// Gets or sets the password to use when authenticating with the
/// SMTP server.
///
///
/// This property's default value is the empty string.
///
public string ActionEmailAuthPassword
{
get
{
return this.GetString("action.email.auth_password", null);
}
set
{
this.SetCacheValue("action.email.auth_password", value);
}
}
///
/// Gets or sets the username to use when authenticating with the SMTP
/// server.
///
///
/// This property's default value is the empty string.
///
public string ActionEmailAuthUsername
{
get
{
return this.GetString("action.email.auth_username", null);
}
set
{
this.SetCacheValue("action.email.auth_username", value);
}
}
///
/// Gets or sets the blind carbon copy (BCC) email address
/// receiving alerts.
///
public string ActionEmailBcc
{
get
{
return this.GetString("action.email.bcc", null);
}
set
{
this.SetCacheValue("action.email.bcc", value);
}
}
///
/// Gets or sets the carbon copy (CC) email address receiving
/// alerts.
///
public string ActionEmailCc
{
get
{
return this.GetString("action.email.cc", null);
}
set
{
this.SetCacheValue("action.email.cc", value);
}
}
///
/// Gets or sets the search command (or pipeline) that runs the action.
///
///
/// Generally, the search command is a template search pipeline that is
/// realized with values from the saved search. To reference saved
/// search field values, wrap them in a '$' symbol. For example, use
/// $name$ to reference the saved search name, or use $search$ to
/// reference the search query.
///
public string ActionEmailCommand
{
get
{
return this.GetString("action.email.command", null);
}
set
{
this.SetCacheValue("action.email.command", value);
}
}
///
/// Gets or sets the format of text in the email.
///
///
/// This value also applies to any attachments formats. Valid values
/// are: "plain", "html", "raw", and "csv".
///
public string ActionEmailFormat
{
get
{
return this.GetString("action.email.format", null);
}
set
{
this.SetCacheValue("action.email.format", value);
}
}
///
/// Gets or sets the email address from which the email action originates.
///
///
/// The default is splunk@$LOCALHOST, or whatever value is set in
/// alert_actions.conf.
///
public string ActionEmailFrom
{
get
{
return this.GetString("action.email.from", null);
}
set
{
this.SetCacheValue("action.email.from", value);
}
}
///
/// Gets or sets the host name used in the web link (URL) that is sent
/// in email alerts.
///
///
/// This property's value can be in either of two forms:
///
/// - hostname (for example, "splunkserver", "splunkserver.example.com")
/// - protocol://hostname:port (for example, "http://splunkserver:8000",
/// "https://splunkserver.example.com:443")
///
///
/// When set to a simple hostname, the protocol and port that are
/// configured within Splunk are used to construct the base of the URL.
/// When set to 'http://...', it is used verbatim. This means the
/// correct port must be specified if it is not the default port for
/// http or https. This is useful in cases in which the Splunk server
/// is not aware of how to construct a URL that can be externally
/// referenced, such as single sign on (SSO) environments, other
/// proxies, or when the Splunk server hostname is not generally
/// resolvable.
///
///
/// When this property is set to an empty string, the default
/// behavior is used.
///
/// This property's default value is the current hostname
/// provided by the operating system, or "localhost".
///
///
public string ActionEmailHostname
{
get
{
return this.GetString("action.email.hostname", null);
}
set
{
this.SetCacheValue("action.email.hostname", value);
}
}
///
/// Gets or sets a value indicating whether the search
/// results are contained in the body of the email.
///
///
/// This property's default value is false.
///
public bool ActionEmailInline
{
get
{
return this.GetBoolean("action.email.inline", false);
}
set
{
this.SetCacheValue("action.email.inline", value);
}
}
///
/// Gets or sets the address of the SMTP server that is used to send
/// the emails, in the form <host>[:<port>].
///
///
/// <host> can be either the hostname or the IP
/// address.
/// <port> is optional, and specifies the SMTP port
/// that Splunk should connect to.
/// If this property is not set, it defaults to the setting
/// defined in the
/// alert_actions.conf
/// file, or, if not set, to "$LOCALHOST:25".
///
public string ActionEmailMailServer
{
get
{
return this.GetString("action.email.mailserver", null);
}
set
{
this.SetCacheValue("action.email.mailserver", value);
}
}
///
/// Gets or sets the maximum number of search results to send in email
/// alerts.
///
///
/// This property's default value is "100".
///
public int ActionEmailMaxResults
{
get
{
return this.GetInteger("action.email.maxresults", -1);
}
set
{
this.SetCacheValue("action.email.maxresults", value);
}
}
///
/// Gets or sets the maximum amount of time an email action takes
/// before the action is canceled.
///
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
///
/// This property's default value is "5m".
///
///
public string ActionEmailMaxTime
{
get
{
return this.GetString("action.email.maxtime", null);
}
set
{
this.SetCacheValue("action.email.maxtime", value);
}
}
///
/// Gets or sets the name of the PDF view to deliver.
///
///
/// This property is only valid if the
/// property is set to true.
///
public string ActionEmailPdfView
{
get
{
return this.GetString("action.email.pdfview", null);
}
set
{
this.SetCacheValue("action.email.pdfview", value);
}
}
///
/// Gets or sets a search string for preprocessing results before
/// emailing them.
///
///
/// Preprocessing usually involves filtering out unwanted
/// internal fields.
/// This property's default value is an empty string, which
/// indicates no preprocessing.
///
public string ActionEmailPreProcessResults
{
get
{
return this.GetString("action.email.preprocess_results", null);
}
set
{
this.SetCacheValue("action.email.preprocess_results", value);
}
}
///
/// Gets or sets a space-delimited list of character-identified
/// (CID) fonts for handling some Asian languages in integrated PDF
/// rendering.
///
///
///
/// The fonts that can be listed include the following:
///
/// - gb: Simplified Chinese
/// - cns: Traditional Chinese
/// - jp: Japanese
/// - kor: Korean
///
///
/// If multiple fonts provide a glyph for a given character code, the
/// glyph from the first font specified in the list is used.
/// To skip loading any CID fonts, specify an empty string.
/// This property's default value is "gb cns jp kor".
/// This property is available in Splunk 5.0 and later.
///
public string ActionEmailReportCIDFontList
{
get
{
return this.GetString("action.email.reportCIDFontList", null);
}
set
{
this.SetCacheValue("action.email.reportCIDFontList", value);
}
}
///
/// Gets or sets a value indicating whether to include the
/// Splunk logo with the report.
///
///
/// This property is available in Splunk 5.0 and later.
///
public bool ActionEmailReportIncludeSplunkLogo
{
get
{
return this.GetBoolean(
"action.email.reportIncludeSplunkLogo", false);
}
set
{
this.SetCacheValue(
"action.email.reportIncludeSplunkLogo", value);
}
}
///
/// Gets or sets the paper orientation.
///
///
///
/// Valid values for this property are "portrait" and "landscape".
///
///
/// This property's default value is "portrait".
///
///
public string ActionEmailReportPaperOrientation
{
get
{
return this.GetString(
"action.email.reportPaperOrientation", null);
}
set
{
this.SetCacheValue(
"action.email.reportPaperOrientation", value);
}
}
///
/// Gets or sets the paper size for PDFs.
///
///
/// Valid values for this property are "letter", "legal",
/// "ledger", "a2", "a3", "a4", and "a5".
/// This property's default value is "letter".
///
public string ActionEmailReportPaperSize
{
get
{
return this.GetString("action.email.reportPaperSize", null);
}
set
{
this.SetCacheValue("action.email.reportPaperSize", value);
}
}
///
/// Gets or sets a value indicating whether the PDF server
/// is enabled.
///
///
/// This property's default value is false.
///
public bool ActionEmailReportServerEnabled
{
get
{
return this.GetBoolean(
"action.email.reportServerEnabled", false);
}
set
{
this.SetCacheValue("action.email.reportServerEnabled", value);
}
}
///
/// Gets or sets the URL of the PDF report server, if one is set up and
/// available on the network.
///
///
/// This property's default value for a locally installed report server
/// is "http://localhost:8091/".
///
public string ActionEmailReportServerUrl
{
get
{
return this.GetString("action.email.reportServerURL", null);
}
set
{
this.SetCacheValue("action.email.reportServerURL", value);
}
}
///
/// Gets or sets a value indicating whether to create and
/// send the results in PDF format.
///
///
/// This property's default value is false.
///
public bool ActionEmailSendPdf
{
get
{
return this.GetBoolean("action.email.sendpdf", false);
}
set
{
this.SetCacheValue("action.email.sendpdf", value);
}
}
///
/// Gets or sets a value indicating whether search results
/// are attached to an email.
///
///
/// Results can be either attached or inline. For more information,
/// see .
///
///
/// This property's default value is false.
///
public bool ActionEmailSendResults
{
get
{
return this.GetBoolean("action.email.sendresults", false);
}
set
{
this.SetCacheValue("action.email.sendresults", value);
}
}
///
/// Gets or sets the subject line of the email.
///
///
/// This property's default value is
/// "SplunkAlert-<savedsearchname>".
///
public string ActionEmailSubject
{
get
{
return this.GetString("action.email.subject", null);
}
set
{
this.SetCacheValue("action.email.subject", value);
}
}
///
/// Gets or sets a comma- or semicolon-delimited list of email
/// recipients receiving alerts.
///
public string ActionEmailTo
{
get
{
return this.GetString("action.email.to", null);
}
set
{
this.SetCacheValue("action.email.to", value);
}
}
///
/// Gets or sets a value indicating whether running this
/// email action results in a trackable alert.
///
///
/// This property's default value is false.
///
public bool ActionEmailTrackAlert
{
get
{
return this.GetBoolean("action.email.track_alert", false);
}
set
{
this.SetCacheValue("action.email.track_alert", value);
}
}
///
/// Gets or sets the minimum time-to-live (TTL), in seconds, of search
/// artifacts if this email action is triggered.
///
///
///
/// If the value is a number followed by "p", it is the number of
/// scheduled search periods.
///
///
/// If no actions are triggered, the artifacts will have their TTL
/// determined by the "dispatch.ttl" attribute in savedsearches.conf.
///
///
/// This property's default value is "86400" (equal to 24 hours).
///
///
public string ActionEmailTtl
{
get
{
return this.GetString("action.email.ttl", null);
}
set
{
this.SetCacheValue("action.email.ttl", value);
}
}
///
/// Gets or sets a value indicating whether to use secure
/// socket layer (SSL) when communicating with the SMTP server.
///
///
/// This property's default value is false.
///
public bool ActionEmailUseSsl
{
get
{
return this.GetBoolean("action.email.use_ssl", false);
}
set
{
this.SetCacheValue("action.email.use_ssl", value);
}
}
///
/// Gets or sets a value indicating whether to use
/// transport layer security (TLS) when communicating with the SMTP
/// server.
///
///
/// This property's default value is false.
///
public bool ActionEmailUseTls
{
get
{
return this.GetBoolean("action.email.use_tls", false);
}
set
{
this.SetCacheValue("action.email.use_tls", value);
}
}
///
/// Gets or sets a value indicating whether columns should
/// be sorted from least wide to most wide, left to right.
///
///
///
/// This property is only used when the
/// property is set to "plain".
///
/// This property's default value is true.
///
public bool ActionEmailWidthSortColumns
{
get
{
return this.GetBoolean(
"action.email.width_sort_columns", false);
}
set
{
this.SetCacheValue("action.email.width_sort_columns", value);
}
}
///
/// Gets or sets the search command (or pipeline) that runs the action.
///
///
/// Generally the command is a template search pipeline that is
/// realized with values from the saved search. To reference saved
/// search field values, wrap them in the '$' symbol. For example, to
/// reference the saved search name use $name$; to reference
/// search use $search$.
///
public string ActionPopulateLookupCommand
{
get
{
return this.GetString("action.populate_lookup.command", null);
}
set
{
this.SetCacheValue("action.populate_lookup.command", value);
}
}
///
/// Gets or sets the name of the lookup table or lookup path to
/// populate.
///
public string ActionPopulateLookupDest
{
get
{
return this.GetString("action.populate_lookup.dest", null);
}
set
{
this.SetCacheValue("action.populate_lookup.dest", value);
}
}
///
/// Gets or sets the host name used in the web link (URL) that is sent
/// in populate-lookup alerts.
///
///
/// This property's value can be in either of two forms:
///
/// - hostname (for example, "splunkserver", "splunkserver.example.com")
/// - protocol://hostname:port (for example, "http://splunkserver:8000",
/// "https://splunkserver.example.com:443")
///
///
public string ActionPopulateLookupHostname
{
get
{
return this.GetString("action.populate_lookup.hostname", null);
}
set
{
this.SetCacheValue("action.populate_lookup.hostname", value);
}
}
///
/// Gets or sets the maximum number of search results to send in
/// populate-lookup alerts.
///
///
/// This property's default value is "100".
///
public int ActionPopulateLookupMaxResults
{
get
{
return this.GetInteger("action.populate_lookup.maxresults", -1);
}
set
{
this.SetCacheValue("action.populate_lookup.maxresults", value);
}
}
///
/// Gets or sets the maximum amount of time an alert action takes
/// before the action is canceled.
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
///
/// This property's default value is "5m".
///
///
public string ActionPopulateLookupMaxTime
{
get
{
return this.GetString("action.populate_lookup.maxtime", null);
}
set
{
this.SetCacheValue("action.populate_lookup.maxtime", value);
}
}
///
/// Gets or sets a value indicating whether running this
/// populate-lookup action results in a trackable alert.
///
public bool ActionPopulateLookupTrackAlert
{
get
{
return this.GetBoolean(
"action.populate_lookup.track_alert", false);
}
set
{
this.SetCacheValue("action.populate_lookup.track_alert", value);
}
}
///
/// Gets or sets the minimum time-to-live (TTL), in seconds, of search
/// artifacts if this populate-lookup action is triggered.
///
///
/// If the value is a number followed by "p", it is the number of
/// scheduled search periods.
/// If no actions are triggered, the artifacts will have their TTL
/// determined by the "dispatch.ttl" attribute in savedsearches.conf.
///
/// This property's default value is "10p".
///
public string ActionPopulateLookupTtl
{
get
{
return this.GetString("action.populate_lookup.ttl", null);
}
set
{
this.SetCacheValue("action.populate_lookup.ttl", value);
}
}
///
/// Gets or sets the search command (or pipeline) that runs the action.
///
///
///
/// Generally the command is a template search pipeline that is
/// realized with values from the saved search. To reference saved
/// search field values, wrap them in the '$' symbol. For example, to
/// reference the saved search name use $name$; to reference
/// search use $search$.
///
///
public string ActionRssCommand
{
get
{
return this.GetString("action.rss.command", null);
}
set
{
this.SetCacheValue("action.rss.command", value);
}
}
///
/// Gets or sets the host name used in the web link (URL) that is sent
/// in RSS alerts.
///
///
/// This property's value can be in either of two forms:
///
/// - hostname (for example, "splunkserver",
/// "splunkserver.example.com")
/// - protocol://hostname:port (for example,
/// "http://splunkserver:8000",
/// "https://splunkserver.example.com:443")
///
///
/// When set to a simple hostname, the protocol and port that are
/// configured within Splunk are used to construct the base of the URL.
/// When set to 'http://...', it is used verbatim. This means the
/// correct port must be specified if it is not the default port for
/// http or https. This is useful in cases in which the Splunk server
/// is not aware of how to construct a URL that can be externally
/// referenced, such as single sign on (SSO) environments, other
/// proxies, or when the Splunk server hostname is not generally
/// resolvable.
///
///
/// When this property is set to an empty string, the default
/// behavior is used.
///
/// This property's default value is the current hostname
/// provided by the operating system, or "localhost".
///
///
public string ActionRssHostname
{
get
{
return this.GetString("action.rss.hostname", null);
}
set
{
this.SetCacheValue("action.rss.hostname", value);
}
}
///
/// Gets or sets the maximum number of search results to send in
/// RSS alerts.
///
///
/// This property's default value is "100".
///
public int ActionRssMaxResults
{
get
{
return this.GetInteger("action.rss.maxresults", -1);
}
set
{
this.SetCacheValue("action.rss.maxresults", value);
}
}
///
/// Gets or sets the maximum amount of time an RSS alert action takes
/// before the action is canceled.
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
/// This property's default value is "1m".
///
public string ActionRssMaxTime
{
get
{
return this.GetString("action.rss.maxtime", null);
}
set
{
this.SetCacheValue("action.rss.maxtime", value);
}
}
///
/// Gets or sets a value indicating whether running this
/// RSS action results in a trackable alert.
///
public bool ActionRssTrackAlert
{
get
{
return this.GetBoolean("action.rss.track_alert", false);
}
set
{
this.SetCacheValue("action.rss.track_alert", value);
}
}
///
/// Gets or sets the minimum time-to-live (TTL) of search artifacts if
/// this RSS action is triggered.
///
///
///
/// If the value is a number followed by "p", it is the number of
/// scheduled search periods.
///
///
/// If no actions are triggered, the artifacts will have their TTL
/// determined by the "dispatch.ttl" attribute in savedsearches.conf.
///
///
/// This property's default value is "86400" (equal to 24 hours).
///
///
public string ActionRssTtl
{
get
{
return this.GetString("action.rss.ttl", null);
}
set
{
this.SetCacheValue("action.rss.ttl", value);
}
}
///
/// Gets or sets the search command (or pipeline) that runs the action.
///
///
/// Generally the command is a template search pipeline that is
/// realized with values from the saved search. To reference saved
/// search field values, wrap them in the '$' symbol. For example, to
/// reference the saved search name use $name$; to reference
/// search use $search$.
///
public string ActionScriptCommand
{
get
{
return this.GetString("action.script.command", null);
}
set
{
this.SetCacheValue("action.script.command", value);
}
}
///
/// Gets or sets the file name of the script to call.
///
///
/// This value is required if script action is enabled
/// is set to true).
///
public string ActionScriptFilename
{
get
{
return this.GetString("action.script.filename", null);
}
set
{
this.SetCacheValue("action.script.filename", value);
}
}
///
/// Gets or sets the host name used in the web link (URL) that is sent
/// in script alerts.
///
///
/// This property's value can be in either of two forms:
///
/// - hostname (for example, "splunkserver",
/// "splunkserver.example.com")
/// - protocol://hostname:port (for example,
/// "http://splunkserver:8000",
/// "https://splunkserver.example.com:443")
///
///
/// When set to a simple hostname, the protocol and port that are
/// configured within Splunk are used to construct the base of the URL.
/// When set to 'http://...', it is used verbatim. This means the
/// correct port must be specified if it is not the default port for
/// http or https. This is useful in cases in which the Splunk server
/// is not aware of how to construct a URL that can be externally
/// referenced, such as single sign on (SSO) environments, other
/// proxies, or when the Splunk server hostname is not generally
/// resolvable.
///
///
/// When this property is set to an empty string, the default
/// behavior is used.
///
/// This property's default value is the current hostname
/// provided by the operating system, or "localhost".
///
///
public string ActionScriptHostname
{
get
{
return this.GetString("action.script.hostname", null);
}
set
{
this.SetCacheValue("action.script.hostname", value);
}
}
///
/// Gets or sets the maximum number of search results to send in
/// script alerts.
///
///
/// This property's default value is "100".
///
public int ActionScriptMaxResults
{
get
{
return this.GetInteger("action.script.maxresults", -1);
}
set
{
this.SetCacheValue("action.script.maxresults", value);
}
}
///
/// Gets or sets the maximum amount of time a script action takes
/// before the action is canceled.
///
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
/// This property's default value is "5m".
///
public string ActionScriptMaxTime
{
get
{
return this.GetString("action.script.maxtime", null);
}
set
{
this.SetCacheValue("action.script.maxtime", value);
}
}
///
/// Gets or sets a value indicating whether running this
/// script action results in a trackable alert.
///
public bool ActionScriptTrackAlert
{
get
{
return this.GetBoolean("action.script.track_alert", false);
}
set
{
this.SetCacheValue("action.script.track_alert", value);
}
}
///
/// Gets or sets the minimum time-to-live (TTL) of search artifacts if
/// this script action is triggered.
///
///
///
/// If the value is a number followed by "p", it is the number of
/// scheduled search periods.
///
///
/// If no actions are triggered, the artifacts will have their TTL
/// determined by the "dispatch.ttl" attribute in savedsearches.conf.
///
///
/// This property's default value is "600" (equal to 10 minutes).
///
///
public string ActionScriptTtl
{
get
{
return this.GetString("action.script.ttl", null);
}
set
{
this.SetCacheValue("action.script.ttl", value);
}
}
///
/// Gets or sets the name of the summary index where the results of the
/// scheduled search are saved.
///
///
/// This property's default value is "summary".
///
public string ActionSummaryIndexName
{
get
{
return this.GetString("action.summary_index._name", null);
}
set
{
this.SetCacheValue("action.summary_index._name", value);
}
}
///
/// Gets or sets the search command (or pipeline) that runs the action.
///
///
/// Generally the command is a template search pipeline that is
/// realized with values from the saved search. To reference saved
/// search field values, wrap them in the '$' symbol. For example, to
/// reference the saved search name use $name$; to reference
/// search use $search$.
///
public string ActionSummaryIndexCommand
{
get
{
return this.GetString("action.summary_index.command", null);
}
set
{
this.SetCacheValue("action.summary_index.command", value);
}
}
///
/// Gets or sets the host name used in the web link (URL) that is sent
/// in summary-index alerts.
///
///
/// This property's value can be in either of two forms:
///
/// - hostname (for example, "splunkserver",
/// "splunkserver.example.com")
/// - protocol://hostname:port (for example,
/// "http://splunkserver:8000",
/// "https://splunkserver.example.com:443")
///
///
/// When set to a simple hostname, the protocol and port that are
/// configured within Splunk are used to construct the base of the URL.
/// When set to 'http://...', it is used verbatim. This means the
/// correct port must be specified if it is not the default port for
/// http or https. This is useful in cases in which the Splunk server
/// is not aware of how to construct a URL that can be externally
/// referenced, such as single sign on (SSO) environments, other
/// proxies, or when the Splunk server hostname is not generally
/// resolvable.
///
///
/// When this property is set to an empty string, the default
/// behavior is used.
///
/// This property's default value is the current hostname
/// provided by the operating system, or "localhost".
///
///
public string ActionSummaryIndexHostname
{
get
{
return this.GetString("action.summary_index.hostname", null);
}
set
{
this.SetCacheValue("action.summary_index.hostname", value);
}
}
///
/// Gets or sets a value indicating whether to run the
/// summary indexing action as part of the scheduled search.
///
///
///
/// This property is only considered if the summary-index action is
/// enabled and is always executed—that is, if counttype =
/// always.
///
///
/// This property's default value is true.
///
///
public bool ActionSummaryIndexInline
{
get
{
return this.GetBoolean("action.summary_index.inline", false);
}
set
{
this.SetCacheValue("action.summary_index.inline", value);
}
}
///
/// Gets or sets the maximum number of search results to send in
/// summary-index alerts.
///
///
/// This property's default value is "100".
///
public int ActionSummaryIndexMaxResults
{
get
{
return this.GetInteger("action.summary_index.maxresults", -1);
}
set
{
this.SetCacheValue("action.summary_index.maxresults", value);
}
}
///
/// Gets or sets the maximum amount of time a summary-index action
/// takes before the action is canceled.
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
/// This property's default value is "5m".
///
public string ActionSummaryIndexMaxTime
{
get
{
return this.GetString("action.summary_index.maxtime", null);
}
set
{
this.SetCacheValue("action.summary_index.maxtime", value);
}
}
///
/// Gets or sets a value indicating whether running this
/// summary-index action results in a trackable alert.
///
public bool ActionSummaryIndexTrackAlert
{
get
{
return this.GetBoolean(
"action.summary_index.track_alert", false);
}
set
{
this.SetCacheValue("action.summary_index.track_alert", value);
}
}
///
/// Gets or sets the minimum time-to-live (TTL) of search artifacts if
/// this summary-index action is triggered.
///
///
/// If the value is a number followed by "p", it is the number of
/// scheduled search periods.
/// This property's default value is "10p".
/// If no actions are triggered, the artifacts will have their TTL
/// determined by the "dispatch.ttl" attribute in savedsearches.conf.
///
///
public string ActionSummaryIndexTtl
{
get
{
return this.GetString("action.summary_index.ttl", null);
}
set
{
this.SetCacheValue("action.summary_index.ttl", value);
}
}
///
/// Gets or sets a value indicating whether Splunk applies
/// the alert actions to the entire result set (digest) or to each
/// individual search result (per result).
///
///
///
/// This property's default value is true.
///
///
public bool AlertDigestMode
{
get
{
return this.GetBoolean("alert.digest_mode", false);
}
set
{
this.SetCacheValue("alert.digest_mode", value);
}
}
///
/// Gets or sets the amount of time to show the alert in the dashboard.
/// The valid format is a number followed by a time unit ("s", "m", "h",
/// or "d").
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
///
/// This property's default value is "24h".
///
///
public string AlertExpires
{
get
{
return this.GetString("alert.expires");
}
set
{
this.SetCacheValue("alert.expires", value);
}
}
///
/// Gets or sets the alert severity level.
///
///
///
/// The property's value can be one of the following integers:
///
/// - "1" indicates DEBUG
/// - "2" indicates INFO
/// - "3" indicates WARN
/// - "4" indicates ERROR
/// - "5" indicates SEVERE
/// - "6" indicates FATAL
///
///
///
/// This property's default value is "3".
///
///
public int AlertSeverity
{
get
{
return this.GetInteger("alert.severity");
}
set
{
this.SetCacheValue("alert.severity", value);
}
}
///
/// Gets or sets a value indicating whether alert
/// suppression is enabled for this search.
///
public bool AlertSuppress
{
get
{
return this.GetBoolean("alert.suppress", false);
}
set
{
this.SetCacheValue("alert.suppress", value);
}
}
///
/// Gets or sets a comma-delimited list of fields to use for alert
/// suppression when doing per-result alerting.
///
///
///
/// This property is required if suppression is turned on and
/// per-result alerting is enabled.
///
///
public string AlertSuppressFields
{
get
{
return this.GetString("alert.suppress.fields", null);
}
set
{
this.SetCacheValue("alert.suppress.fields", value);
}
}
///
/// Gets or sets the suppression period, which is only valid if
/// is enabled.
///
///
/// The property value's valid format is an integer
/// followed by a time unit ("s" for seconds, "m" for minutes, "h" for
/// hours, or "d" for days). For instance, "2s" means 2 seconds.
///
///
public string AlertSuppressPeriod
{
get
{
return this.GetString("alert.suppress.period", null);
}
set
{
this.SetCacheValue("alert.suppress.period", value);
}
}
///
/// Gets or sets a keyword value indicating how to track the
/// actions triggered by this saved search.
///
///
///
/// This property's value can be one of the following keywords:
///
/// - "true" indicates enabled
/// - "false" indicates disabled
/// - "auto" indicates that tracking is based on the setting of
/// each action
///
///
///
public string AlertTrack
{
get
{
return this.GetString("alert.track");
}
set
{
this.SetCacheValue("alert.track", value);
}
}
///
/// Gets or sets the alert comparator for alert triggering.
///
///
///
/// This property's value can be one of the following strings:
///
/// - "greater than"
/// - "less than"
/// - "equal to"
/// - "rises by"
/// - "drops by"
/// - "rises by perc"
/// - "drops by perc"
///
///
///
/// This property is used with to
/// trigger alert actions.
///
///
public string AlertComparator
{
get
{
return this.GetString("alert_comparator", null);
}
set
{
this.SetCacheValue("alert_comparator", value);
}
}
///
/// Gets or sets a conditional search that is evaluated against the
/// results of the saved search.
///
///
///
/// Alerts are triggered if the specified search yields a non-empty
/// search result list.
///
///
/// This property's default value is an empty string.
///
///
public string AlertCondition
{
get
{
return this.GetString("alert_condition", null);
}
set
{
this.SetCacheValue("alert_condition", value);
}
}
///
/// Gets or sets the value to compare to before triggering the alert
/// action.
///
///
///
/// If this value is expressed as a percentage, it indicates the
/// value to use when is set to "rises by
/// perc" or "drops by perc."
///
///
public string AlertThreshold
{
get
{
return this.GetString("alert_threshold", null);
}
set
{
this.SetCacheValue("alert_threshold", value);
}
}
///
/// Gets or sets a value indicating what to base the alert on.
///
///
///
/// This property's value can be one of the following strings:
///
/// - "always"
/// - "custom"
/// - "number of events"
/// - "number of hosts"
/// - "number of sources"
///
///
///
/// This property is overridden by the
/// property if specified.
///
///
public string AlertType
{
get
{
return this.GetString("alert_type");
}
set
{
this.SetCacheValue("alert_type", value);
}
}
///
/// Gets or sets the maximum ratio of summary_size/bucket_size, which
/// specifies when to stop summarization and deem it unhelpful for a
/// bucket.
///
///
///
/// The test is only performed if the summary size is larger than
/// 5 megabytes (MB).
///
///
/// This property's default value is "0.1".
///
///
/// This property is available in Splunk 5.0 and later.
///
///
public double AutoSummarizeMaxSummaryRatio
{
get
{
return this.GetFloat("auto_summarize.max_summary_ratio", -1.0);
}
set
{
this.SetCacheValue("auto_summarize.max_summary_ratio", value);
}
}
///
/// Gets or sets the cron-style schedule for running this saved search.
///
///
///
/// Use standard cron notation to define your scheduled search
/// interval. The cron format can accept this type of notation:
/// "00,20,40 * * * *", which runs the search every hour at hh:00,
/// hh:20, and hh:40. Along the same lines, a cron of 03,23,43 * * * *
/// runs the search every hour at hh:03, hh:23, hh:43.
///
///
/// Splunk recommends that you schedule your searches so that
/// they are staggered over time. This reduces system load. Running
/// all of them every 20 minutes (*/20) means they would all launch at
/// hh:00 (20, 40) and might slow your system every 20 minutes.
///
///
public string CronSchedule
{
get
{
return this.GetString("cron_schedule", null);
}
set
{
this.SetCacheValue("cron_schedule", value);
}
}
///
/// Gets or sets a human-readable description of this saved search.
///
///
///
/// This property's default value is an empty string.
///
///
public string Description
{
get
{
return this.GetString("description", null);
}
set
{
this.SetCacheValue("description", value);
}
}
///
/// Gets or sets the maximum number of timeline buckets.
///
///
///
/// This property's default value is "0".
///
///
public int DispatchBuckets
{
get
{
return this.GetInteger("dispatch.buckets");
}
set
{
this.SetCacheValue("dispatch.buckets", value);
}
}
///
/// Gets or sets a time string that specifies the earliest time for
/// this search.
///
///
///
/// This value can be a relative or absolute time as formatted
/// by .
///
///
public string DispatchEarliestTime
{
get
{
return this.GetString("dispatch.earliest_time", null);
}
set
{
this.SetCacheValue("dispatch.earliest_time", value);
}
}
///
/// Gets or sets a time string that specifies the latest time for this
/// search.
///
///
/// This property's value can be a relative or absolute time
/// as formatted by .
///
///
public string DispatchLatestTime
{
get
{
return this.GetString("dispatch.latest_time", null);
}
set
{
this.SetCacheValue("dispatch.latest_time", value);
}
}
///
/// Gets or sets a value indicating whether lookups are
/// enabled for this search.
///
///
/// This property's default value is true.
///
///
public bool DispatchLookups
{
get
{
return this.GetBoolean("dispatch.lookups");
}
set
{
this.SetCacheValue("dispatch.lookups", value);
}
}
///
/// Gets or sets the maximum number of results before finalizing
/// the search.
///
///
///
/// This property's default value is "500000".
///
///
public int DispatchMaxCount
{
get
{
return this.GetInteger("dispatch.max_count");
}
set
{
this.SetCacheValue("dispatch.max_count", value);
}
}
///
/// Gets or sets the maximum amount of time in seconds before
/// finalizing the search.
///
///
///
/// This property's default value is "0".
///
///
public string DispatchMaxTime
{
get
{
return this.GetString("dispatch.max_time");
}
set
{
this.SetCacheValue("dispatch.max_time", value);
}
}
///
/// Gets or sets an integer value that specifies how frequently Splunk
/// runs the MapReduce reduce phase on accumulated map values.
///
///
///
/// This property's default value is "10".
///
///
public int DispatchReduceFreq
{
get
{
return this.GetInteger("dispatch.reduce_freq");
}
set
{
this.SetCacheValue("dispatch.reduce_freq", value);
}
}
///
/// Gets or sets a value indicating whether to backfill the
/// real-time window for this search.
///
///
///
/// This property is only valid for real-time searches.
///
///
/// This property's default value is false.
///
///
public bool DispatchRtBackfill
{
get
{
return this.GetBoolean("dispatch.rt_backfill", false);
}
set
{
this.SetCacheValue("dispatch.rt_backfill", value);
}
}
///
/// Gets or sets a value indicating whether Splunk spawns
/// a new search process when running this saved search.
///
///
///
/// Searches against indexes must run in a separate process.
///
///
/// This property's default value is true.
///
///
public bool DispatchSpawnProcess
{
get
{
return this.GetBoolean("dispatch.spawn_process");
}
set
{
this.SetCacheValue("dispatch.spawn_process", value);
}
}
///
/// Gets or sets a time format string that defines the time format
/// used to specify the earliest and latest times for this search.
///
///
///
/// This property's default value is "%FT%T.%Q%:z".
///
///
public string DispatchTimeFormat
{
get
{
return this.GetString("dispatch.time_format");
}
set
{
this.SetCacheValue("dispatch.time_format", value);
}
}
///
/// Gets or sets the time to live (TTL) for the artifacts of the
/// scheduled search (the time before the search job expires and
/// artifacts are still available), if no actions are triggered.
///
///
///
/// If an action is triggered, Splunk changes the TTL to that
/// action's TTL. If multiple actions are triggered, Splunk applies
/// the maximum TTL to the artifacts.
///
/// If the value is a number followed by "p", it is the number of
/// scheduled search periods.
/// This property's default value is "2p".
///
public string DispatchTtl
{
get
{
return this.GetString("dispatch.ttl");
}
set
{
this.SetCacheValue("dispatch.ttl", value);
}
}
///
/// Gets or sets the default UI view name (not label) in which to
/// load the results.
///
///
/// Access is dependent on the user having sufficient permissions.
///
public string DisplayView
{
get
{
return this.GetString("displayview", null);
}
set
{
this.SetCacheValue("displayview", value);
}
}
///
/// Gets or sets the maximum number of concurrent instances of this
/// search the scheduler is allowed to run.
///
///
///
/// This property's default value is "1".
///
///
public int MaxConcurrent
{
get
{
return this.GetInteger("max_concurrent");
}
set
{
this.SetCacheValue("max_concurrent", value);
}
}
///
/// Gets the time at which the scheduler will run this search
/// again.
///
public DateTime NextScheduledTime
{
get
{
return this.GetDate("next_scheduled_time", DateTime.MaxValue);
}
}
///
/// Gets the exact search string that the scheduler will run.
///
public string QualifiedSearch
{
get
{
return this.GetString("qualfiedSearch", null);
}
}
///
/// Gets or sets a value indicating how the scheduler computes the
/// next run time of a scheduled search.
///
///
///
/// This property's possible values are the following:
///
/// - "0" indicates the scheduler bases its determination of the
/// next scheduled search on the last search execution time. This is
/// called continuous scheduling. The scheduler will never skip
/// scheduled execution periods. However, the execution of the saved
/// search might fall behind depending on the scheduler's load. Use
/// continuous scheduling whenever you enable the summary index
/// option.
/// - "1" indicates the scheduler is executing the searches running
/// over the most recent time range, and therefore might skip some
/// execution periods to keep up.
///
///
///
/// This property's default value is "1".
///
///
public int RealtimeSchedule
{
get
{
return this.GetInteger("realtime_schedule");
}
set
{
this.SetCacheValue("realtime_schedule", value);
}
}
///
/// Gets or sets a string value specifying the app in which Splunk
/// Web dispatches this search.
///
public string RequestUiDispatchApp
{
get
{
return this.GetString("request.ui_dispatch_app", null);
}
set
{
this.SetCacheValue("request.ui_dispatch_app", value);
}
}
///
/// Gets or sets a string value specifying the view in which Splunk
/// Web displays this search.
///
public string RequestUiDispatchView
{
get
{
return this.GetString("request.ui_dispatch_view", null);
}
set
{
this.SetCacheValue("request.ui_dispatch_view", value);
}
}
///
/// Gets or sets a value indicating whether a real-time
/// search managed by the scheduler is restarted when a search peer
/// becomes available for this saved search.
///
///
///
/// The peer can be a newly added peer or a peer that has been down
/// and has become available.
///
///
/// This property's default value is true.
///
///
public bool RestartOnSearchPeerAdd
{
get
{
return this.GetBoolean("restart_on_searchpeer_add");
}
set
{
this.SetCacheValue("restart_on_searchpeer_add", value);
}
}
///
/// Gets or sets a value indicating whether this search is
/// run when Splunk starts.
///
///
///
/// If the search is not run on startup, it runs at the next scheduled time.
///
///
/// Splunk recommends that you set this property to true for scheduled
/// searches that populate lookup tables.
///
///
/// This property's default value is false.
///
///
public bool RunOnStartup
{
get
{
return this.GetBoolean("run_on_startup");
}
set
{
this.SetCacheValue("run_on_startup", value);
}
}
///
/// Gets or sets the search expression for this saved search.
///
public string Search
{
get
{
return this.GetString("search");
}
set
{
this.SetCacheValue("search", value);
}
}
///
/// Gets or sets the view state ID that is associated with the view
/// specified in the property.
///
///
///
/// This ID corresponds to a stanza in the viewstates.conf
/// configuration file.
///
///
public string Vsid
{
get
{
return this.GetString("vsid", null);
}
set
{
this.SetCacheValue("vsid", value);
}
}
///
/// Gets a value indicating whether the email action is
/// enabled.
///
///
///
/// This property's default value is false.
///
///
public bool IsActionEmail
{
get
{
return this.GetBoolean("action.email");
}
}
///
/// Gets a value indicating whether the populate-lookup
/// action is enabled.
///
///
///
/// This property's default value is false.
///
///
public bool IsActionPopulateLookup
{
get
{
return this.GetBoolean("action.populate_lookup");
}
}
///
/// Gets a value indicating whether RSS action is enabled.
///
///
///
/// This property's default value is false.
///
///
public bool IsActionRss
{
get
{
return this.GetBoolean("action.rss");
}
}
///
/// Gets a value indicating whether the script action is
/// enabled.
///
///
///
/// This property's default value is false.
///
///
public bool IsActionScript
{
get
{
return this.GetBoolean("action.script");
}
}
///
/// Gets a value indicating whether the summary-index
/// action is enabled.
///
///
///
/// This property's default value is false.
///
///
public bool IsActionSummaryIndex
{
get
{
return this.GetBoolean("action.summary_index");
}
}
///
/// Gets or sets a value indicating whether this search is
/// run on a schedule.
///
public bool IsScheduled
{
get
{
return this.GetBoolean("is_scheduled");
}
set
{
this.SetCacheValue("is_scheduled", value);
}
}
///
/// Gets or sets a value indicating whether the search
/// should be visible in the saved search list.
///
///
///
/// This property's default value is true.
///
///
public bool IsVisible
{
get
{
return this.GetBoolean("is_visible");
}
set
{
this.SetCacheValue("is_visible", value);
}
}
///
/// Sets a comma-separated list of actions to enable.
///
///
///
/// This property's value can include any of the following strings,
/// separated by commas:
///
/// - "email"
/// - "populate_lookup"
/// - "rss"
/// - "script"
/// - "summary_index"
///
///
///
public new string Actions
{
set
{
this.SetCacheValue("actions", value);
}
}
///
/// Sets a wildcard argument that accepts any action.
///
///
///
/// Use this property to specify specific action arguments. For
/// example, to specify the email recipients for the
/// property.
///
///
public string ActionWildcard
{
set
{
this.SetCacheValue("action.*", value);
}
}
///
/// Sets a wildcard argument that accepts any saved search template
/// argument.
///
///
///
/// An example saved search template is "args.username=foobar" when
/// the search is "search $username$".
///
///
public string ArgsWildcard
{
set
{
this.SetCacheValue("args.*", value);
}
}
///
/// Sets a value indicating whether the saved search is
/// disabled.
///
///
///
/// Disabled searches are not visible in Splunk Web.
///
///
/// This property's default value is false.
///
///
public bool Disabled
{
set
{
this.SetCacheValue("disabled", value);
}
}
///
/// Sets a wildcard argument that accepts any dispatch-related
/// argument.
///
public string DispatchWildcard
{
set
{
this.SetCacheValue("dispatch.*", value);
}
}
///
/// Acknowledges the suppression of alerts from this saved search
/// and resumes alerting.
///
public void Acknowledge()
{
this.Service.Post(this.ActionPath("acknowledge"));
this.Invalidate();
}
///
/// Returns the path that corresponds to the requested action
///
/// The requested action.
/// The path to the action.
protected override string ActionPath(string action)
{
if (action.Equals("acknowledge"))
{
return this.Path + "/acknowledge";
}
else if (action.Equals("dispatch"))
{
return this.Path + "/dispatch";
}
else if (action.Equals("history"))
{
return this.Path + "/history";
}
else
{
return base.ActionPath(action);
}
}
///
/// Runs the saved search.
///
/// The .
public Job Dispatch()
{
return this.Dispatch(null);
}
///
/// Runs the saved search using dispatch arguments.
///
/// The arguments.
/// The .
public Job Dispatch(Args args)
{
ResponseMessage response =
this.Service.Post(this.ActionPath("dispatch"), args);
this.Invalidate();
string sid = Job.SidExtraction(response);
Job job;
JobCollection jobs = this.Service.GetJobs();
job = jobs.Get(sid);
// If job not yet scheduled, create an empty job object
if (job == null)
{
job = new Job(this.Service, "search/jobs/" + sid);
}
return job;
}
///
/// Runs the saved search using dispatch arguments.
///
/// The arguments.
/// The .
public Job Dispatch(SavedSearchDispatchArgs args)
{
return this.Dispatch((Args) args);
}
///
/// Returns an array of search jobs created from this saved search.
///
/// An array of Jobs.
public Job[] History()
{
ResponseMessage response =
this.Service.Get(this.ActionPath("history"));
AtomFeed feed;
feed = AtomFeed.Parse(response.Content);
int count = feed.Entries.Count;
Job[] result = new Job[count];
for (int i = 0; i < count; ++i)
{
string sid = feed.Entries[i].Title;
result[i] = new Job(this.Service, "search/jobs/" + sid);
}
return result;
}
///
/// Updates the entity with the values you previously set using the
/// corresponding properties, and any additional specified arguments.
///
/// The key/value pairs to update.
///
/// The specified arguments take precedence over the values that were
/// previously set using properties.
///
public override void Update(Dictionary args)
{
// Add required arguments if not already present
if (!args.ContainsKey("search"))
{
args = Args.Create(args);
args.Add("search", this.Search);
}
base.Update(args);
}
///
/// Updates the entity with the accumulated arguments, established by
/// the corresponding properties for each specific entity class.
///
public override void Update()
{
// If not present in the update keys, add required attribute as long
// as one pre-existing update pair exists.
if (toUpdate.Count > 0 && !toUpdate.ContainsKey("search"))
{
this.SetCacheValue("search", this.Search);
}
base.Update();
}
}
}