Splunk
Version: 5.2.6
Turn Machine Data Into Answers. Splunk delivers real-time answers and business value from machine data so you can make better decisions.
Connect Splunk with LogicHub
- Navigate to Automations > Integrations.
- Search for Splunk.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: URL of the Splunk server (e.g., https://www.example.com)
- User: User name to log in with.
- Password: Password to log in with.
- CA Certificate: Upload a .crt CA Certificate file.
- After you've entered all the details, click Connect.
Actions for Splunk
Update Notables
Update the status, urgency, owner, or comment of one or more notable events.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| EventID | Event ID of notable. | Required |
| Comment | Comment to use in notable. | Required |
| Status | Status of notable. | Required |
| Urgency | Notable urgency (Unknown/Low/Medium/High/Critical). | Required |
| Owner | Jinja-template containing the owner name. Example: {{parent_column_containing_owner}} | Required |
| Retry Count | This integration retries connecting with splunk this many number of time in case of failure (Default is 0). | Optional |
| Delay between retries | Amount of time in seconds which is used to wait between the retries. Only used if retry count is used. (Default is 5 seconds). | Optional |
Output
A JSON object containing results of performing the action.
Query (Deprecated)
Runs query on Splunk
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query String | Jinja-templated query string. Eg: 'search * | head {{limit}}' | Required |
| App name | Jinja-templated containing name of the app to search on. Eg: 'notable-{{name}}' | Optional |
| User Name | Jinja-templated containing user name. Eg: '{{username}}' | Optional |
| Search Window Column: Start | Specify column name from parent table containing start of search window (Default is flow-start-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'. | Optional |
| Search Window Column: End | Specify column name from parent table containing end of search window (Default is flow-end-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'. | Optional |
| Interval | Slice search into smaller intervals in seconds (Default is elapsed time between start-window and end-window). Note: The query will be run for each slice. So, some queries (like 'head 10') may have results different than what is expected. | Optional |
| Retry Count | This integration retries connecting with splunk this many number of time in case of failure. Default is 0. | Optional |
| Delay between retries | Amount of time in seconds which is used to wait between the retries. Only used if retry count is used (Default is 5 seconds). | Optional |
Output
A JSON object containing results of performing the action.
Query
Runs query on Splunk
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query String | Jinja-templated query string. Eg: 'search * | head {{limit}}' | Required |
| App name | Jinja-templated containing name of the app to search on. Eg: 'notable-{{name}}' | Optional |
| User Name | Jinja-templated containing user name. Eg: '{{username}}' | Optional |
| Search Window Column: Start | Specify column name from parent table containing start of search window (Default is flow-start-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'. | Optional |
| Search Window Column: End | Specify column name from parent table containing end of search window (Default is flow-end-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'. | Optional |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds (Default is 0 millisecond) | Optional |
Output
JSON containing the following items:
{
"Workload":"OneDrive",
"Id":"asdfasdf-asdf-as-df-sd8dbasdf53",
"EventSource":"SharePoint",
"ListId":"asdf-8c39-40a8-bd29-asdf",
"SiteUrl":"https://test.sharepoint.com/personal/test/",
"CreationTime":"2023-04-03T05:59:59"
}
List Users
Lists Splunk users
Input Field
No Required Input
Output of Action:
A JSON object containing multiple rows of result of Splunk user details.
Restart Splunk
Restarts Splunk Web interface and/or splunkd server daemon.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Restart splunkd server daemon | Select option Yes/No whether to restart splunkd server daemon in addition to Splunk Web Interface. | Optional |
Output
A JSON object containing results of performing the action.
Reset User Password
Resets given user's password
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Splunk user column | Select column containing user whose password is to be reset. | Required |
| Old password column | Select column containing the existing password that is to be reset. | Required |
| New password column | Select column containing a new password. If omitted, a random password will be generated and used. | Optional |
| Force Change Password | Select option Yes/No. Forces user to change the password on login with a reset password. Default 'Yes'. | Optional |
Output
A JSON object containing results of performing the action.
Configure Replication Factor
Configures replication and Search factor. Requires a restart of splunkd server daemon.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Replication Factor | Set Cluster Replication Factor. | Required |
| Search Factor | Set Cluster Search Factor. Note: Search Factor must not be more than the Replication Factor. | Required |
Output
A JSON object containing results of performing the action.
Forward to Splunk index
It writes to a particular Splunk index.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Index | Jinja-templated text containing an index to write on. Example: {{index_column}}. | Required |
| Source | Jinja-templated text containing source. Example: {{source_column}. | Optional |
| Source Type | Jinja-templated text containing source type. Example: {{source_type_column}. | Optional |
| Add Hidden Fields | Select True/False for add hidden fields ( "lhub_page_num" and "lhub_id") .(Default value is False). | Optional |
Output
A JSON object containing multiple rows of result:
{
"result":"Successfully forwarded to splunk index",
"error":null,
"has_error":false
}
Release Notes
v5.1.0- Added newQueryaction with performance improvement and no result limit.v5.0.0- Updated architecture to support IO via filesystemv4.4.0- Added optional fieldCA Certificateat connection level to override the default certificate.v4.3.1- Added new optional fields:app nameanduser namesearch to a specific app within a Splunk server inQueryaction.v4.2.0- Added new optional field source in an existing actionForward to Splunk Index.
Updated about 1 year ago