data
Splunk Lua API for KosmoKrator Agents
Agent-facing Lua documentation and function reference for the Splunk KosmoKrator integration.Lua Namespace
Agents call this integration through app.integrations.splunk.*.
Use lua_read_doc("integrations.splunk") inside KosmoKrator to discover the same reference at runtime.
Call Lua from the Headless CLI
Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic
Splunk workflow without starting an interactive agent session.
kosmo integrations:lua --eval 'dump(app.integrations.splunk.search({query = "example_query", earliest_time = "example_earliest_time", latest_time = "example_latest_time", exec_mode = "example_exec_mode", options = "example_options"}))' --jsonkosmo integrations:lua --eval 'print(docs.read("splunk"))' --json
kosmo integrations:lua --eval 'print(docs.read("splunk.search"))' --jsonWorkflow file
Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.
local splunk = app.integrations.splunk
local result = splunk.search({query = "example_query", earliest_time = "example_earliest_time", latest_time = "example_latest_time", exec_mode = "example_exec_mode", options = "example_options"})
dump(result)kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json Namespace note.
integrations:lua exposes app.integrations.splunk, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.splunk.default.* or app.integrations.splunk.work.* when you configured named credential accounts.
MCP-only Lua
If the script only needs configured MCP servers and does not need Splunk, use the narrower mcp:lua command.
# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --jsonAgent-Facing Lua Docs
This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.
Splunk Lua API Reference
Namespace: app.integrations.splunk
Configure access_token and a Splunk management API services URL, usually
https://host:8089/services. Splunk Cloud deployments may require REST API
access to be enabled for the management port.
Search Jobs
Create an asynchronous job:
local job = app.integrations.splunk.search({
query = "search index=main error | head 100",
earliest_time = "-24h",
latest_time = "now"
})Inspect and retrieve job data:
local status = app.integrations.splunk.get_search_job({ sid = job.sid })
local results = app.integrations.splunk.get_search_results({
sid = job.sid,
offset = 0,
count = 100
})
local events = app.integrations.splunk.get_search_events({
sid = job.sid,
count = 100
})
local log = app.integrations.splunk.get_search_log({ sid = job.sid })List or cancel jobs:
local jobs = app.integrations.splunk.list_search_jobs({ count = 50 })
app.integrations.splunk.delete_search_job({ sid = job.sid })Use export_search when you need Splunk’s export endpoint instead of a stored
job lifecycle:
local exported = app.integrations.splunk.export_search({
query = "search index=_internal | head 10",
earliest_time = "-1h"
})Indexes
local indexes = app.integrations.splunk.list_indexes({ count = 100 })
local main = app.integrations.splunk.get_index({ name = "main" })
app.integrations.splunk.create_index({
name = "example_test",
options = { maxTotalDataSizeMB = 1024 }
})
app.integrations.splunk.update_index({
name = "example_test",
options = { frozenTimePeriodInSecs = 2592000 }
})
app.integrations.splunk.delete_index({ name = "example_test" })Saved Searches
local saved = app.integrations.splunk.list_saved_searches({
search = "name=*error*"
})
local report = app.integrations.splunk.get_saved_search({
name = "Daily errors"
})
app.integrations.splunk.create_saved_search({
name = "Daily errors",
query = "search index=main error | stats count by host",
options = {
is_scheduled = 1,
cron_schedule = "0 8 * * *"
}
})
app.integrations.splunk.update_saved_search({
name = "Daily errors",
options = { description = "Daily error summary" }
})
local dispatched = app.integrations.splunk.dispatch_saved_search({
name = "Daily errors",
options = { ["dispatch.earliest_time"] = "-24h" }
})
app.integrations.splunk.delete_saved_search({ name = "Daily errors" })Apps, Users, And Server Info
local apps = app.integrations.splunk.list_apps({})
local search_app = app.integrations.splunk.get_app({ name = "search" })
local users = app.integrations.splunk.list_users({})
local admin = app.integrations.splunk.get_user({ username = "admin" })
local current = app.integrations.splunk.get_current_user({})
local server = app.integrations.splunk.get_server_info({})Raw Services API Helpers
Use raw helpers only for documented Splunk services endpoints that do not yet
have a named tool. Paths must be relative to /services; full URLs and
parent-directory segments are rejected.
local raw = app.integrations.splunk.api_get({
path = "/server/info",
params = { output_mode = "json" }
})
local posted = app.integrations.splunk.api_post({
path = "/saved/searches/Daily%20errors/dispatch",
payload = { ["dispatch.earliest_time"] = "-24h" }
})Notes
- Prefer bounded searches with
earliest_timeandlatest_time. - Results, events, and logs require the job to exist and the token to have the relevant Splunk capabilities.
- Many endpoints return Splunk Atom-style envelopes when
output_mode=jsonis not honored; this package returns decoded JSON when available or{ raw = ... }. - Splunk Cloud API availability can vary by deployment and support settings.
Multi-Account Usage
app.integrations.splunk.search({ query = "search index=main | head 10" })
app.integrations.splunk.production.search({ query = "search index=main | head 10" })Raw agent markdown
# Splunk Lua API Reference
Namespace: `app.integrations.splunk`
Configure `access_token` and a Splunk management API services URL, usually
`https://host:8089/services`. Splunk Cloud deployments may require REST API
access to be enabled for the management port.
## Search Jobs
Create an asynchronous job:
```lua
local job = app.integrations.splunk.search({
query = "search index=main error | head 100",
earliest_time = "-24h",
latest_time = "now"
})
```
Inspect and retrieve job data:
```lua
local status = app.integrations.splunk.get_search_job({ sid = job.sid })
local results = app.integrations.splunk.get_search_results({
sid = job.sid,
offset = 0,
count = 100
})
local events = app.integrations.splunk.get_search_events({
sid = job.sid,
count = 100
})
local log = app.integrations.splunk.get_search_log({ sid = job.sid })
```
List or cancel jobs:
```lua
local jobs = app.integrations.splunk.list_search_jobs({ count = 50 })
app.integrations.splunk.delete_search_job({ sid = job.sid })
```
Use `export_search` when you need Splunk's export endpoint instead of a stored
job lifecycle:
```lua
local exported = app.integrations.splunk.export_search({
query = "search index=_internal | head 10",
earliest_time = "-1h"
})
```
## Indexes
```lua
local indexes = app.integrations.splunk.list_indexes({ count = 100 })
local main = app.integrations.splunk.get_index({ name = "main" })
app.integrations.splunk.create_index({
name = "example_test",
options = { maxTotalDataSizeMB = 1024 }
})
app.integrations.splunk.update_index({
name = "example_test",
options = { frozenTimePeriodInSecs = 2592000 }
})
app.integrations.splunk.delete_index({ name = "example_test" })
```
## Saved Searches
```lua
local saved = app.integrations.splunk.list_saved_searches({
search = "name=*error*"
})
local report = app.integrations.splunk.get_saved_search({
name = "Daily errors"
})
app.integrations.splunk.create_saved_search({
name = "Daily errors",
query = "search index=main error | stats count by host",
options = {
is_scheduled = 1,
cron_schedule = "0 8 * * *"
}
})
app.integrations.splunk.update_saved_search({
name = "Daily errors",
options = { description = "Daily error summary" }
})
local dispatched = app.integrations.splunk.dispatch_saved_search({
name = "Daily errors",
options = { ["dispatch.earliest_time"] = "-24h" }
})
app.integrations.splunk.delete_saved_search({ name = "Daily errors" })
```
## Apps, Users, And Server Info
```lua
local apps = app.integrations.splunk.list_apps({})
local search_app = app.integrations.splunk.get_app({ name = "search" })
local users = app.integrations.splunk.list_users({})
local admin = app.integrations.splunk.get_user({ username = "admin" })
local current = app.integrations.splunk.get_current_user({})
local server = app.integrations.splunk.get_server_info({})
```
## Raw Services API Helpers
Use raw helpers only for documented Splunk services endpoints that do not yet
have a named tool. Paths must be relative to `/services`; full URLs and
parent-directory segments are rejected.
```lua
local raw = app.integrations.splunk.api_get({
path = "/server/info",
params = { output_mode = "json" }
})
local posted = app.integrations.splunk.api_post({
path = "/saved/searches/Daily%20errors/dispatch",
payload = { ["dispatch.earliest_time"] = "-24h" }
})
```
## Notes
- Prefer bounded searches with `earliest_time` and `latest_time`.
- Results, events, and logs require the job to exist and the token to have the
relevant Splunk capabilities.
- Many endpoints return Splunk Atom-style envelopes when `output_mode=json` is
not honored; this package returns decoded JSON when available or `{ raw = ... }`.
- Splunk Cloud API availability can vary by deployment and support settings.
## Multi-Account Usage
```lua
app.integrations.splunk.search({ query = "search index=main | head 10" })
app.integrations.splunk.production.search({ query = "search index=main | head 10" })
```local result = app.integrations.splunk.search({query = "example_query", earliest_time = "example_earliest_time", latest_time = "example_latest_time", exec_mode = "example_exec_mode", options = "example_options"})
print(result)Functions
search Write
Run a Splunk search query (SPL). Creates an asynchronous search job and returns the search ID (SID). Use splunk_get_search_results to retrieve results once the job completes.
- Lua path
app.integrations.splunk.search- Full name
splunk.splunk_search
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | yes | The SPL search query (e.g., "search index=main error | head 100"). |
earliest_time | string | no | Earliest time for the search time range. Supports relative (e.g., "-24h", "-7d") or absolute (e.g., "2025-01-01T00:00:00") format. |
latest_time | string | no | Latest time for the search time range. Supports relative (e.g., "now") or absolute (e.g., "2025-01-31T23:59:59") format. |
exec_mode | string | no | Splunk execution mode. Defaults to normal. |
options | object | no | Additional search/jobs form parameters. |
export_search Read
Run a Splunk export search and return the parsed or raw response.
- Lua path
app.integrations.splunk.export_search- Full name
splunk.splunk_export_search
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | yes | SPL search query. |
earliest_time | string | no | Optional earliest time. |
latest_time | string | no | Optional latest time. |
options | object | no | Additional export parameters. |
list_search_jobs Read
List Splunk search jobs with pagination and optional server-side filtering.
- Lua path
app.integrations.splunk.list_search_jobs- Full name
splunk.splunk_list_search_jobs
| Parameter | Type | Required | Description |
|---|---|---|---|
count | integer | no | Maximum number of jobs. |
offset | integer | no | Pagination offset. |
search | string | no | Optional server-side search filter. |
get_search_job Read
Get status and metadata for a Splunk search job by SID.
- Lua path
app.integrations.splunk.get_search_job- Full name
splunk.splunk_get_search_job
| Parameter | Type | Required | Description |
|---|---|---|---|
sid | string | yes | Search job ID. |
delete_search_job Write
Cancel or delete a Splunk search job by SID.
- Lua path
app.integrations.splunk.delete_search_job- Full name
splunk.splunk_delete_search_job
| Parameter | Type | Required | Description |
|---|---|---|---|
sid | string | yes | Search job ID. |
get_search_results Read
Retrieve results from a completed Splunk search job. Pass the search ID (SID) returned by splunk_search. Supports pagination with offset and count parameters.
- Lua path
app.integrations.splunk.get_search_results- Full name
splunk.splunk_get_search_results
| Parameter | Type | Required | Description |
|---|---|---|---|
sid | string | yes | The search job ID (SID) returned by a previous search. |
offset | integer | no | The starting offset for pagination (0-based, default: 0). |
count | integer | no | The number of results to return per page (default: 100). |
get_search_events Read
Retrieve event rows from a completed Splunk search job.
- Lua path
app.integrations.splunk.get_search_events- Full name
splunk.splunk_get_search_events
| Parameter | Type | Required | Description |
|---|---|---|---|
sid | string | yes | Search job ID. |
offset | integer | no | Pagination offset. |
count | integer | no | Number of events. |
get_search_log Read
Retrieve the search.log text for a Splunk search job.
- Lua path
app.integrations.splunk.get_search_log- Full name
splunk.splunk_get_search_log
| Parameter | Type | Required | Description |
|---|---|---|---|
sid | string | yes | Search job ID. |
list_indexes Read
List all Splunk indexes available to the authenticated user. Returns index names, sizes, event counts, and retention settings.
- Lua path
app.integrations.splunk.list_indexes- Full name
splunk.splunk_list_indexes
| Parameter | Type | Required | Description |
|---|---|---|---|
count | integer | no | Maximum number of indexes to return. |
offset | integer | no | Pagination offset. |
get_index Read
Get details for a specific Splunk index by name. Returns configuration, size, event count, and retention policy.
- Lua path
app.integrations.splunk.get_index- Full name
splunk.splunk_get_index
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | The name of the Splunk index to retrieve (e.g., "main", "_internal"). |
create_index Write
Create a Splunk index with optional index settings.
- Lua path
app.integrations.splunk.create_index- Full name
splunk.splunk_create_index
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Index name. |
options | object | no | Additional index creation parameters. |
update_index Write
Update Splunk index configuration parameters.
- Lua path
app.integrations.splunk.update_index- Full name
splunk.splunk_update_index
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Index name. |
options | object | yes | Index update parameters. |
delete_index Write
Delete a Splunk index by name.
- Lua path
app.integrations.splunk.delete_index- Full name
splunk.splunk_delete_index
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Index name. |
list_saved_searches Read
List all saved searches configured in Splunk. Returns search names, queries, schedules, and alert settings.
- Lua path
app.integrations.splunk.list_saved_searches- Full name
splunk.splunk_list_saved_searches
| Parameter | Type | Required | Description |
|---|---|---|---|
count | integer | no | Maximum number of saved searches to return. |
offset | integer | no | Pagination offset. |
search | string | no | Optional server-side search filter. |
get_saved_search Read
Get a Splunk saved search by name.
- Lua path
app.integrations.splunk.get_saved_search- Full name
splunk.splunk_get_saved_search
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Saved search name. |
create_saved_search Write
Create a Splunk saved search with optional schedule or alert settings.
- Lua path
app.integrations.splunk.create_saved_search- Full name
splunk.splunk_create_saved_search
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Saved search name. |
query | string | yes | SPL query. |
options | object | no | Additional saved-search parameters. |
update_saved_search Write
Update a Splunk saved search by name.
- Lua path
app.integrations.splunk.update_saved_search- Full name
splunk.splunk_update_saved_search
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Saved search name. |
options | object | yes | Saved-search update parameters. |
delete_saved_search Write
Delete a Splunk saved search by name.
- Lua path
app.integrations.splunk.delete_saved_search- Full name
splunk.splunk_delete_saved_search
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Saved search name. |
dispatch_saved_search Write
Dispatch a saved search and return the generated search job.
- Lua path
app.integrations.splunk.dispatch_saved_search- Full name
splunk.splunk_dispatch_saved_search
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | Saved search name. |
options | object | no | Dispatch parameters. |
list_apps Read
List installed Splunk apps.
- Lua path
app.integrations.splunk.list_apps- Full name
splunk.splunk_list_apps
| Parameter | Type | Required | Description |
|---|---|---|---|
count | integer | no | Maximum number of apps. |
offset | integer | no | Pagination offset. |
get_app Read
Get an installed Splunk app by name.
- Lua path
app.integrations.splunk.get_app- Full name
splunk.splunk_get_app
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | yes | App name. |
list_users Read
List Splunk users visible to the authenticated token.
- Lua path
app.integrations.splunk.list_users- Full name
splunk.splunk_list_users
| Parameter | Type | Required | Description |
|---|---|---|---|
count | integer | no | Maximum number of users. |
offset | integer | no | Pagination offset. |
get_user Read
Get a Splunk user by username.
- Lua path
app.integrations.splunk.get_user- Full name
splunk.splunk_get_user
| Parameter | Type | Required | Description |
|---|---|---|---|
username | string | yes | Splunk username. |
get_current_user Read
Get the current authenticated Splunk user context. Returns username, roles, capabilities, and tenant information.
- Lua path
app.integrations.splunk.get_current_user- Full name
splunk.splunk_get_current_user
| Parameter | Type | Required | Description |
|---|---|---|---|
| No parameters. | |||
get_server_info Read
Get Splunk server version, build, and platform information.
- Lua path
app.integrations.splunk.get_server_info- Full name
splunk.splunk_get_server_info
| Parameter | Type | Required | Description |
|---|---|---|---|
| No parameters. | |||
api_get Read
Call a safe relative Splunk services path with GET.
- Lua path
app.integrations.splunk.api_get- Full name
splunk.splunk_api_get
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | yes | Relative path under /services. |
params | object | no | Query parameters. |
api_post Write
Call a safe relative Splunk services path with POST form parameters.
- Lua path
app.integrations.splunk.api_post- Full name
splunk.splunk_api_post
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | yes | Relative path under /services. |
payload | object | no | Form body parameters. |
params | object | no | Query parameters. |
api_delete Write
Call a safe relative Splunk services path with DELETE.
- Lua path
app.integrations.splunk.api_delete- Full name
splunk.splunk_api_delete
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | yes | Relative path under /services. |
params | object | no | Query parameters. |