Splunk App: Trigger LogicHub Stream

This Adaptive Response Action enables users to trigger an On Demand Stream in LogicHub with an alert, notable, etc.

Overview

This Adaptive Response Action enables users to trigger an On Demand Stream in LogicHub with an alert, notable, etc. It's helpful in scenarios where the transmission and processing time of an event is uncertain, for example if you're querying for an event over the last 30 minutes and the event takes 40 minutes to be queryable. LogicHub will miss this event, because it was not available during the 30 minute time window. This action allows you to send a trigger to LogicHub as soon as that event is available in Splunk to ensure LogicHub is automatically triaging 100% of your alerts + notables.

Steps to install the app

  1. Download the app from Splunkbase.
  2. Log into Splunk.
  3. Click the Manage Apps icon.
  4. On the Apps page, click Install app from file.
  5. Click Choose File, navigate to and select the app package file, then click Open.
  6. Click Upload.

Steps to upgrade the app

  1. Download the app from Splunkbase.
  2. Log into Splunk.
  3. Click the Manage Apps icon.
  4. On the Apps page, click Install app from file.
  5. Click Choose File, navigate to and select the app package file, then click Open.
  6. Select Upgrade app.
  7. Click Upload.

Create an alert to trigger the app

  1. Go to search page.
  2. Click search after providing the search criteria for events. Example: index="notable".
  3. Save the search as "Alert" by clicking "Save As -> Alert" button. This will navigate to a popup.
  4. In Alert window, Configure the alert.
  5. At the bottom, click on "Add action" and select "Trigger LogicHub Stream" app.
  6. Under "When triggered" input, Please provide "Host URL", "Port" "Logichub Stream URL" & "Verify SSL" inputs. Example:
    Host URL: https://www.host.url.io
    Port: 8443
    Logichub Stream URL: https://www.some.webhook.url.io
    Verify SSL: True
  7. Save the alert.

Create a new notable event

  1. Go to the "Enterprise Security" page.
  2. Click on configure menu.
  3. Select "Incident Management" option.
  4. Select "New Notable Events" option.

Notes

  1. You might need loadEventsFromExecutionContext operator to get the data from the Splunk app.

Did this page help you?