Splunk · Capability
Splunk Enterprise REST API — Search
Splunk Enterprise REST API — Search. 8 operations. Lead operation: List Search Jobs. Self-contained Naftiko capability covering one Splunk business surface.
What You Can Do
GET
Listsearchjobs
— List Search Jobs
/v1/services/search/jobs
POST
Createsearchjob
— Create a Search Job
/v1/services/search/jobs
GET
Exportsearchresults
— Export Search Results
/v1/services/search/jobs/export
GET
Getsearchjob
— Get Search Job Details
/v1/services/search/jobs/{search-id}
DELETE
Deletesearchjob
— Delete a Search Job
/v1/services/search/jobs/{search-id}
POST
Controlsearchjob
— Control a Search Job
/v1/services/search/jobs/{search-id}/control
GET
Getsearchevents
— Get Search Events
/v1/services/search/jobs/{search-id}/events
GET
Getsearchresults
— Get Search Results
/v1/services/search/jobs/{search-id}/results
MCP Tools
list-search-jobs
List Search Jobs
read-only
idempotent
create-search-job
Create a Search Job
read-only
export-search-results
Export Search Results
read-only
idempotent
get-search-job-details
Get Search Job Details
read-only
idempotent
delete-search-job
Delete a Search Job
idempotent
control-search-job
Control a Search Job
read-only
get-search-events
Get Search Events
read-only
idempotent
get-search-results
Get Search Results
read-only
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Splunk Enterprise REST API — Search
description: 'Splunk Enterprise REST API — Search. 8 operations. Lead operation: List Search Jobs. Self-contained Naftiko
capability covering one Splunk business surface.'
tags:
- Splunk
- Search
created: '2026-05-19'
modified: '2026-05-19'
binds:
- namespace: env
keys:
SPLUNK_API_KEY: SPLUNK_API_KEY
capability:
consumes:
- type: http
namespace: enterprise-rest-search
baseUri: https://{host}:{port}
description: Splunk Enterprise REST API — Search business capability. Self-contained, no shared references.
resources:
- name: services-search-jobs
path: /services/search/jobs
operations:
- name: listsearchjobs
method: GET
description: List Search Jobs
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: search
in: query
type: string
description: Filter search jobs by search string
- name: sort_key
in: query
type: string
description: Field to sort by
- name: sort_dir
in: query
type: string
description: Sort direction
- name: createsearchjob
method: POST
description: Create a Search Job
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: services-search-jobs-export
path: /services/search/jobs/export
operations:
- name: exportsearchresults
method: GET
description: Export Search Results
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: search
in: query
type: string
description: The SPL search query to execute
required: true
- name: earliest_time
in: query
type: string
description: Earliest time for the search
- name: latest_time
in: query
type: string
description: Latest time for the search
- name: auto_cancel
in: query
type: integer
description: Seconds of inactivity after which the search is cancelled
- name: enable_lookups
in: query
type: boolean
description: Whether to enable lookups during the search
- name: services-search-jobs-search_id
path: /services/search/jobs/{search_id}
operations:
- name: getsearchjob
method: GET
description: Get Search Job Details
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: deletesearchjob
method: DELETE
description: Delete a Search Job
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: services-search-jobs-search_id-control
path: /services/search/jobs/{search_id}/control
operations:
- name: controlsearchjob
method: POST
description: Control a Search Job
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: services-search-jobs-search_id-events
path: /services/search/jobs/{search_id}/events
operations:
- name: getsearchevents
method: GET
description: Get Search Events
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: earliest_time
in: query
type: string
description: Earliest time boundary for events
- name: latest_time
in: query
type: string
description: Latest time boundary for events
- name: search
in: query
type: string
description: Post-processing search to filter events
- name: field_list
in: query
type: string
description: Comma-separated list of fields to return
- name: truncation_mode
in: query
type: string
description: How to truncate long lines
- name: max_lines
in: query
type: integer
description: Maximum number of lines per event
- name: services-search-jobs-search_id-results
path: /services/search/jobs/{search_id}/results
operations:
- name: getsearchresults
method: GET
description: Get Search Results
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: search
in: query
type: string
description: Post-processing search string to filter results
- name: field_list
in: query
type: string
description: Comma-separated list of fields to return
authentication:
type: bearer
token: '{{env.SPLUNK_API_KEY}}'
exposes:
- type: rest
namespace: enterprise-rest-search-rest
port: 8080
description: REST adapter for Splunk Enterprise REST API — Search. One Spectral-compliant resource per consumed operation,
prefixed with /v1.
resources:
- path: /v1/services/search/jobs
name: services-search-jobs
description: REST surface for services-search-jobs.
operations:
- method: GET
name: listsearchjobs
description: List Search Jobs
call: enterprise-rest-search.listsearchjobs
with:
search: rest.search
sort_key: rest.sort_key
sort_dir: rest.sort_dir
outputParameters:
- type: object
mapping: $.
- method: POST
name: createsearchjob
description: Create a Search Job
call: enterprise-rest-search.createsearchjob
with:
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/services/search/jobs/export
name: services-search-jobs-export
description: REST surface for services-search-jobs-export.
operations:
- method: GET
name: exportsearchresults
description: Export Search Results
call: enterprise-rest-search.exportsearchresults
with:
search: rest.search
earliest_time: rest.earliest_time
latest_time: rest.latest_time
auto_cancel: rest.auto_cancel
enable_lookups: rest.enable_lookups
outputParameters:
- type: object
mapping: $.
- path: /v1/services/search/jobs/{search-id}
name: services-search-jobs-search-id
description: REST surface for services-search-jobs-search_id.
operations:
- method: GET
name: getsearchjob
description: Get Search Job Details
call: enterprise-rest-search.getsearchjob
outputParameters:
- type: object
mapping: $.
- method: DELETE
name: deletesearchjob
description: Delete a Search Job
call: enterprise-rest-search.deletesearchjob
outputParameters:
- type: object
mapping: $.
- path: /v1/services/search/jobs/{search-id}/control
name: services-search-jobs-search-id-control
description: REST surface for services-search-jobs-search_id-control.
operations:
- method: POST
name: controlsearchjob
description: Control a Search Job
call: enterprise-rest-search.controlsearchjob
with:
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/services/search/jobs/{search-id}/events
name: services-search-jobs-search-id-events
description: REST surface for services-search-jobs-search_id-events.
operations:
- method: GET
name: getsearchevents
description: Get Search Events
call: enterprise-rest-search.getsearchevents
with:
earliest_time: rest.earliest_time
latest_time: rest.latest_time
search: rest.search
field_list: rest.field_list
truncation_mode: rest.truncation_mode
max_lines: rest.max_lines
outputParameters:
- type: object
mapping: $.
- path: /v1/services/search/jobs/{search-id}/results
name: services-search-jobs-search-id-results
description: REST surface for services-search-jobs-search_id-results.
operations:
- method: GET
name: getsearchresults
description: Get Search Results
call: enterprise-rest-search.getsearchresults
with:
search: rest.search
field_list: rest.field_list
outputParameters:
- type: object
mapping: $.
- type: mcp
namespace: enterprise-rest-search-mcp
port: 9090
transport: http
description: MCP adapter for Splunk Enterprise REST API — Search. One tool per consumed operation, routed inline through
this capability's consumes block.
tools:
- name: list-search-jobs
description: List Search Jobs
hints:
readOnly: true
destructive: false
idempotent: true
call: enterprise-rest-search.listsearchjobs
with:
search: tools.search
sort_key: tools.sort_key
sort_dir: tools.sort_dir
outputParameters:
- type: object
mapping: $.
- name: create-search-job
description: Create a Search Job
hints:
readOnly: true
destructive: false
idempotent: false
call: enterprise-rest-search.createsearchjob
with:
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: export-search-results
description: Export Search Results
hints:
readOnly: true
destructive: false
idempotent: true
call: enterprise-rest-search.exportsearchresults
with:
search: tools.search
earliest_time: tools.earliest_time
latest_time: tools.latest_time
auto_cancel: tools.auto_cancel
enable_lookups: tools.enable_lookups
outputParameters:
- type: object
mapping: $.
- name: get-search-job-details
description: Get Search Job Details
hints:
readOnly: true
destructive: false
idempotent: true
call: enterprise-rest-search.getsearchjob
outputParameters:
- type: object
mapping: $.
- name: delete-search-job
description: Delete a Search Job
hints:
readOnly: false
destructive: true
idempotent: true
call: enterprise-rest-search.deletesearchjob
outputParameters:
- type: object
mapping: $.
- name: control-search-job
description: Control a Search Job
hints:
readOnly: true
destructive: false
idempotent: false
call: enterprise-rest-search.controlsearchjob
with:
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: get-search-events
description: Get Search Events
hints:
readOnly: true
destructive: false
idempotent: true
call: enterprise-rest-search.getsearchevents
with:
earliest_time: tools.earliest_time
latest_time: tools.latest_time
search: tools.search
field_list: tools.field_list
truncation_mode: tools.truncation_mode
max_lines: tools.max_lines
outputParameters:
- type: object
mapping: $.
- name: get-search-results
description: Get Search Results
hints:
readOnly: true
destructive: false
idempotent: true
call: enterprise-rest-search.getsearchresults
with:
search: tools.search
field_list: tools.field_list
outputParameters:
- type: object
mapping: $.