Feature Request: Add default search mode configuration setting

[tom-dc]

Feature Request

Problem Statement

When executing SPL queries in .splnb notebooks or .spl files, the extension currently uses the default Splunk search mode (typically "fast" or "smart"), which can miss events when fields are not extracted at index time. For indexes where field extraction happens at search time, this results in incomplete query results.

Requested Feature

Add a workspace/user configuration setting to specify the default search mode for SPL query execution:

"splunk.defaultSearchMode": "verbose"  // Options: "fast", "smart", "verbose"

Use Case

In threat hunting and security analysis workflows, we frequently work with data sources where field extraction occurs at search time rather than index time. When searches run in fast mode, events can be missed because the search head doesn't parse all fields during query execution.

Desired Solution: Set a default in settings.json:

"splunk.defaultSearchMode": "verbose"

Benefits

1. Consistency - Ensures all queries in a workspace execute with the appropriate search mode without manual annotation
2. Accuracy - Reduces risk of incomplete results from fast mode searches on appropriate data sources
3. Developer Experience - Eliminates repetitive inline parameter additions
4. Flexibility - Users can still override with inline parameters when needed

Implementation Suggestions

• Add configuration option to package.json contributes section
• Apply the setting when constructing search jobs via the Splunk SDK
• Allow per-query overrides with inline search_mode= parameter
• Consider adding to connection profile settings as an alternative

Related Splunk Documentation

• Search modes documentation
• Search job properties: exec_mode, adhoc_search_level