Splunk

Version: 4.4.0

Turn Machine Data Into Answers. Splunk delivers real-time answers and business value from machine data so you can make better decisions.

Connect Splunk with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Splunk.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: URL of the Splunk server (e.g., https://www.example.com)
    • User: User name to log in with.
    • Password: Password to log in with.
    • CA Certificate: Upload a .crt CA Certificate file.
  4. After you've entered all the details, click Connect.

Actions for Splunk

Update Notables

Update the status, urgency, owner, or comment of one or more notable events.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
EventIDEvent ID of notable.Required
CommentComment to use in notable.Required
StatusStatus of notable.Required
UrgencyNotable urgency (Unknown/Low/Medium/High/Critical).Required
OwnerJinja-template containing the owner name. Example: {{parent_column_containing_owner}}Required
Retry CountThis integration retries connecting with splunk this many number of time in case of failure (Default is 0).Optional
Delay between retriesAmount of time in seconds which is used to wait between the retries. Only used if retry count is used. (Default is 5 seconds).Optional

Output

A JSON object containing results of performing the action.

1630

Query

Runs query on Splunk

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query StringJinja-templated query string. Eg: 'search * | head {{limit}}'Required
App nameJinja-templated containing name of the app to search on. Eg: 'notable-{{name}}'Optional
User NameJinja-templated containing user name. Eg: '{{username}}'Optional
Search Window Column: StartSpecify column name from parent table containing start of search window (Default is flow-start-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'.Optional
Search Window Column: EndSpecify column name from parent table containing end of search window (Default is flow-end-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'.Optional
IntervalSlice search into smaller intervals in seconds (Default is elapsed time between start-window and end-window). Note: The query will be run for each slice. So, some queries (like 'head 10') may have results different than what is expected. Optional
Retry CountThis integration retries connecting with splunk this many number of time in case of failure. Default is 0.Optional
Delay between retriesAmount of time in seconds which is used to wait between the retries. Only used if retry count is used (Default is 5 seconds).Optional

Output

A JSON object containing results of performing the action.

688

List Users

Lists Splunk users

Input Field

No Required Input

Output of Action:
A JSON object containing multiple rows of result of Splunk user details.

931

Restart Splunk

Restarts Splunk Web interface and/or splunkd server daemon.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Restart splunkd server daemonSelect option Yes/No whether to restart splunkd server daemon in addition to Splunk Web Interface.Optional

Output

A JSON object containing results of performing the action.

908

Reset User Password

Resets given user's password

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Splunk user columnSelect column containing user whose password is to be reset.Required
Old password columnSelect column containing the existing password that is to be reset.Required
New password columnSelect column containing a new password. If omitted, a random password will be generated and used.Optional
Force Change PasswordSelect option Yes/No. Forces user to change the password on login with a reset password. Default 'Yes'.Optional

Output

A JSON object containing results of performing the action.

915

Configure Replication Factor

Configures replication and Search factor. Requires a restart of splunkd server daemon.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Replication FactorSet Cluster Replication Factor.Required
Search FactorSet Cluster Search Factor.
Note: Search Factor must not be more than the Replication Factor.
Required

Output

A JSON object containing results of performing the action.

943

Forward to Splunk index

It writes to a particular Splunk index.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IndexJinja-templated text containing an index to write on.
Example: {{index_column}}.
Required
SourceJinja-templated text containing source.
Example: {{source_column}.
Optional
Source TypeJinja-templated text containing source type.
Example: {{source_type_column}.
Optional
Add Hidden FieldsSelect True/False for add hidden fields ( "lhub_page_num" and "lhub_id") .(Default value is False).Optional

Output

A JSON object containing multiple rows of result:

{
   "result":"Successfully forwarded to splunk index",
   "error":null,
   "has_error":false
}

Release Notes

  • v4.4.0 - Added optional field CA Certificate at connection level to override the default certificate.
  • v4.3.1 - Added new optional fields: app name and user name search to a specific app within a Splunk server in Query action.
  • v4.2.0 - Added new optional field source in an existing action Forward to Splunk Index.

© 2017-2021 LogicHub®. All Rights Reserved.