This is the right answer in my book. @a212830, one reason there isn't a published XSD because Splunk isn't a fixed schema system. For example, look at the docs link below where the Content field is described:

Container for content returned by the operation for an entry. Typically, responses returns content as dictionaries with key/value pairs that list properties of the entry. Content can be returned as a list of values or as inline plain text.

Been a while since I delved deeply into XSDs, but I'm not sure if any search would ever remain valid to a spec because by altering the search you alter the structure of the Contents field.

Shouldn't it already have one? How does Splunk know how to format it's output when I say output to XML?

By switching output to XML doesn't insure it's enforcing a legitimate XSD to do so. Heck, I can output a simple string that just happens to be XML, right?

I've also searched for XSD's in the past, particularly for SimpleXML Dashboard encoding without luck. Though creating an XSD from an existing XML is a good place to start I would also insure you refer to the documentation to insure you encapsulate all necessary elements, attributes, and account for cardinality:

http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTUM/RESTusing

If you have a Windows based system you can use Altova's XMLSpy (usually a 30 day free download) to convert XML to XSD. Otherwise my system is OS X, been using Xmplify last 2.5+ years - works fine. You can open your XML response file then go to Tools -> Derive XML Schema for Current Document.

Hope this helps?

The schemas for simple xml (and advanced, for that matter) are available in the package under the search_mrsparkle directory.

Awesome!! Thanks for sharing.

Do they want to use the XSD to validate that the XML conforms to it? If so, the instant you change anything about the search, such as adding a new field, the validation will fail. Then you get into the business of versions of XSD and XML, so its much easier to plan for this up front. Include a version number in your search (XML) that tells the receiver which version of the XSD to pull.

Of course all of this is a big hassle which is why people either ignore XSDs or move to JSON, the wild-west of data. This makes it much easier and more "agile", but much harder to validate data quality.

This is why I referred to the docs:

http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTUM/RESTusing

It does a seemingly good job of covering the expectations that you could craft a XSD from. But I agree, a more agile data format like JSON could be more advantageous. But Splunker a212830 may be employing an service bus or interface engine that requires a XSD in order to invoke an endpoint, or do a transform after the fact as you point out.