CreateScheduledSearchV2 is
used to input data for creating a scheduled search.
Table: CreateScheduledSearchV2
| Parameter | Type | Required | Default | Stability | Description |
|---|---|---|---|---|---|
| Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column. | |||||
| Table last updated: Mar 28, 2025 | |||||
actions | [string] | yes | A list of ids or names for actions to fire on query result. Actions in packages can be referred to as packagescope/packagename:actionname. | ||
backfillLimit | integer | User-defined limit, which caps the number of missed searches to backfill, e.g. in the event of a shutdown. | |||
description | string | Description of the scheduled search. | |||
enabled | boolean | true | Flag indicating whether the scheduled search is enabled. The default is true. | ||
labels | [string] | yes | [ ] | Labels attached to the scheduled search. | |
maxWaitTimeSeconds | long | The maximum number of seconds to wait for ingest delay and query warnings. Only allowed when queryTimestamp is IngestTimestamp where it's mandatory. | |||
Name | string | yes | Name of the scheduled search. | ||
queryOwnershipType | QueryOwnershipType | yes | Ownership of the query run by this scheduled search. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType. | ||
queryString | string | yes | LogScale query to execute. | ||
queryTimestampType | QueryTimestampType | yes | The timestamp type to use for the query. Running on @ingesttimestamp is only available with feature flag, ScheduledSearchIngestTimestamp. See QueryTimestampType. | ||
runAsUserId | string | The scheduled search will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the scheduled search will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user. | |||
schedule | string | yes | Cron pattern describing the schedule to execute the query on. | ||
searchIntervalOffsetSeconds | long | The offset of the search interval in seconds. Only allowed when queryTimestampType is EventTimestamp where it's mandatory. | |||
searchIntervalSeconds | long | The search interval in seconds. | |||
timeZone | string | yes | Time zone of the schedule. Currently this field only supports UTC offsets like 'UTC', 'UTC-01' or 'UTC+12:45'. | ||
viewName | string | yes | Name of the view of the scheduled search. | ||