Splunk Run a Search Job and Retrieve Results

arazzo: 1.0.1
info:
  title: Splunk Run a Search Job and Retrieve Results
  summary: Dispatch an SPL search, poll the job until it finishes, then read the results.
  description: >-
    The canonical Splunk search pattern. A search job is created from an SPL
    query, which runs asynchronously on the search head. The workflow polls the
    job's dispatch state until it reports DONE, then retrieves the transformed
    results. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: splunkApi
  url: ../openapi/splunk-enterprise-rest-api.yml
  type: openapi
workflows:
- workflowId: run-search-job
  summary: Create a search job, poll it to completion, and fetch its results.
  description: >-
    Submits an SPL search as an asynchronous job, repeatedly reads the job's
    dispatchState until it reaches DONE, then pulls back the paginated results
    in JSON.
  inputs:
    type: object
    required:
    - search
    properties:
      search:
        type: string
        description: The SPL search query to execute (e.g. "search index=main | head 100").
      earliest_time:
        type: string
        description: Earliest time boundary for the search (e.g. "-24h@h").
      latest_time:
        type: string
        description: Latest time boundary for the search (e.g. "now").
      count:
        type: integer
        description: Maximum number of results to return.
  steps:
  - stepId: createJob
    description: >-
      Dispatch the SPL search as an asynchronous search job and capture the
      assigned search ID (sid).
    operationId: createSearchJob
    parameters:
    - name: output_mode
      in: query
      value: json
    requestBody:
      contentType: application/x-www-form-urlencoded
      payload:
        search: $inputs.search
        earliest_time: $inputs.earliest_time
        latest_time: $inputs.latest_time
        exec_mode: normal
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      sid: $response.body#/sid
  - stepId: pollJob
    description: >-
      Read the search job status. The job is finished when dispatchState
      reports DONE; otherwise the step is retried.
    operationId: getSearchJob
    parameters:
    - name: search_id
      in: path
      value: $steps.createJob.outputs.sid
    - name: output_mode
      in: query
      value: json
    successCriteria:
    - condition: $statusCode == 200
    - context: $response.body
      condition: $.content.dispatchState == "DONE"
      type: jsonpath
    outputs:
      dispatchState: $response.body#/content/dispatchState
      resultCount: $response.body#/content/resultCount
      isDone: $response.body#/content/isDone
    onSuccess:
    - name: jobDone
      type: goto
      stepId: getResults
      criteria:
      - context: $response.body
        condition: $.content.dispatchState == "DONE"
        type: jsonpath
    onFailure:
    - name: retryPoll
      type: retry
      retryAfter: 2
      retryLimit: 30
      criteria:
      - condition: $statusCode == 200
  - stepId: getResults
    description: >-
      Retrieve the transformed results of the completed search job in JSON,
      paginated by count and offset.
    operationId: getSearchResults
    parameters:
    - name: search_id
      in: path
      value: $steps.createJob.outputs.sid
    - name: output_mode
      in: query
      value: json
    - name: count
      in: query
      value: $inputs.count
    - name: offset
      in: query
      value: 0
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      results: $response.body#/results
      fields: $response.body#/fields
      initOffset: $response.body#/init_offset
  outputs:
    sid: $steps.createJob.outputs.sid
    resultCount: $steps.pollJob.outputs.resultCount
    results: $steps.getResults.outputs.results