Splunk

Turn Machine Data Into Answers. Splunk delivers real-time answers and business value from machine data so you can make better decisions.

Integration with LogicHub

Connecting with Splunk

To connect to Splunk following details are required:

Actions with Splunk

Update Notables

Update the status, urgency, owner, or comment of one or more notable events.

Inputs to this Action:

  • EventID: Event ID of notable
  • Comment: Comment to use in notable
  • Status: Status of notable
  • Urgency: Notable urgency (Unknown/Low/Medium/High/Critical)
  • Owner: Jinja template containing the owner name. Example: {{parent_column_containing_owner}}
  • Retry Count (Optional): This integration retries connecting with splunk this many number of time in case of failure (Default is 0)
  • Delay between retries (Optional): Amount of time in seconds which is used to wait between the retries. Only used if retry count is used. (Default is 5 seconds).

Output of Action:
JSON object containing results of performing the action

Query

Runs query on Splunk

Inputs to this Action:

  • Query String: Search query string
  • Search Window Start (Optional): Start window of search query to fetch results for. Default 'flow-start-time'
  • Search Window End (Optional): End window of search query to fetch results for. Default 'flow-end-time'
  • Interval (Optional): Slice search into smaller intervals (in seconds)
  • Retry Count (Optional): This integration retries connecting with splunk this many number of time in case of failure (Default is 0)
  • Delay between retries (Optional): Amount of time in seconds which is used to wait between the retries. Only used if retry count is used. (Default is 5 seconds).

Output of Action:
JSON object containing results of performing the action.

List Users

Lists Splunk users

Inputs to this Action:
No Required Input

Output of Action:
Multiple rows containing result JSON of Splunk users details

Restart Splunk

Restarts Splunk Web interface and/or splunkd server daemon.

Inputs to this Action:

  • Restart splunkd server daemon (Optional): Select option Yes/No whether to restart splunkd server daemon in addition to Splunk Web Interface

Output of Action:
JSON object containing results of performing the action.

Reset User Password

Resets given user's password

Inputs to this Action:

  • Splunk user column: Select column containing user whose password is to be reset.
  • Old password column: Select column containing the existing password that is to be reset.
  • New password column (Optional): Select column containing a new password. If omitted, a random password will be generated and used.
  • Force Change Password (Optional): Select option Yes/No. Forces user to change the password on login with a reset password. Default 'Yes'.

Output of Action:
JSON object containing results of performing the action

Configure Replication Factor

Configures replication and Search factor. Requires a restart of splunkd server daemon.

Inputs to this Action:

  • Replication Factor: Set Cluster Replication Factor.
  • Search Factor: Set Cluster Search Factor.
    Note: Search Factor must not be more than the Replication Factor

Output of Action:
JSON object containing results of performing the action.

Forward to Splunk index

It writes to a particular Splunk index.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Index: Jinja Template text containing an index to write on. Example: {{index_column}}.
  • Source Type: Jinja Template text containing source type. Example: {{source_type_column}.
  • Add hidden Fields: Select True/False for add hidden fields ( "lhub_page_num" and "lhub_id") .(Default value is False).

Output of Action:
JSON containing the following:

{
   "result":"Successfully forwarded to splunk index",
   "error":null,
   "has_error":false
}

Did this page help you?