Document toolboxDocument toolbox

Splunk

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
6 min read
[ 1 Connect Splunk with Devo SOAR ] [ 2 Actions for Splunk ] [ 2.1 Update Notables ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Query (Deprecated) ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Query ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 3 Release Notes ]

Turn Machine Data Into Answers. Splunk delivers real-time answers and business value from machine data so you can make better decisions.

Connect Splunk with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Splunk.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL of the Splunk server (e.g., https://www.example.com)

  9. User: User name to log in with.

  10. Password: Password to log in with.

  11. CA Certificate: Upload a .crt CA Certificate file.

  12. After you've entered all the details, click Connect.

Actions for Splunk

Update Notables

Update the status, urgency, owner, or comment of one or more notable events.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

EventID

Event ID of notable.

Required

Comment

Comment to use in notable.

Required

Status

Status of notable.

Required

Urgency

Notable urgency (Unknown/Low/Medium/High/Critical).

Required

Owner

Jinja-template containing the owner name. Example: {{parent_column_containing_owner}}

Required

Retry Count

This integration retries connecting with splunk this many number of time in case of failure (Default is 0).

Optional

Delay between retries

Amount of time in seconds which is used to wait between the retries. Only used if retry count is used. (Default is 5 seconds).

Optional

Output

A JSON object containing results of performing the action.

Query (Deprecated)

Runs query on Splunk

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Query String

Jinja-templated query string. Eg: 'search * | head {{limit}}'

Required

App name

Jinja-templated containing name of the app to search on. Eg: 'notable-{{name}}'

Optional

User Name

Jinja-templated containing user name. Eg: '{{username}}'

Optional

Search Window Column: Start

Specify column name from parent table containing start of search window (Default is flow-start-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'.

Optional

Search Window Column: End

Specify column name from parent table containing end of search window (Default is flow-end-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'.

Optional

Interval

Slice search into smaller intervals in seconds (Default is elapsed time between start-window and end-window). Note: The query will be run for each slice. So, some queries (like 'head 10') may have results different than what is expected.

Optional

Retry Count

This integration retries connecting with splunk this many number of time in case of failure. Default is 0.

Optional

Delay between retries

Amount of time in seconds which is used to wait between the retries. Only used if retry count is used (Default is 5 seconds).

Optional

Output

A JSON object containing results of performing the action.

Query

Runs query on Splunk

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Query String

Jinja-templated query string. Eg: 'search * | head {{limit}}'

Required

App name

Jinja-templated containing name of the app to search on. Eg: 'notable-{{name}}'

Optional

User Name

Jinja-templated containing user name. Eg: '{{username}}'

Optional

Search Window Column: Start

Specify column name from parent table containing start of search window (Default is flow-start-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'.

Optional

Search Window Column: End

Specify column name from parent table containing end of search window (Default is flow-end-time). The column-value should be in any one of the standard ISO time formats. Eg: '2019-10-14T10:49:41.5-03:00'.

Optional

Time between consecutive API requests (in millis)

Time to wait between consecutive API requests in milliseconds (Default is 0 millisecond)

Optional

Output

JSON containing the following items:

``` {json}{ "Workload":"OneDrive", "Id":"asdfasdf-asdf-as-df-sd8dbasdf53", "EventSource":"SharePoint", "ListId":"asdf-8c39-40a8-bd29-asdf", "SiteUrl":"https://test.sharepoint.com/personal/test/", "CreationTime":"2023-04-03T05:59:59" }

## List Users Lists Splunk users ### Input Field No Required Input **Output of Action**: A JSON object containing multiple rows of result of Splunk user details. ![](https://files.readme.io/bbace8a-screenshot-1 "screenshot-1") ## Restart Splunk Restarts Splunk Web interface and/or splunkd server daemon. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------------------------- | :------------------------------------------------------------------------------------------------- | :------- | | Restart splunkd server daemon | Select option Yes/No whether to restart splunkd server daemon in addition to Splunk Web Interface. | Optional | ### Output A JSON object containing results of performing the action. ![](https://files.readme.io/78b429a-screenshot-3 "screenshot-3") ## Reset User Password Resets given user's password ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :-------------------- | :------------------------------------------------------------------------------------------------------ | :------- | | Splunk user column | Select column containing user whose password is to be reset. | Required | | Old password column | Select column containing the existing password that is to be reset. | Required | | New password column | Select column containing a new password. If omitted, a random password will be generated and used. | Optional | | Force Change Password | Select option Yes/No. Forces user to change the password on login with a reset password. Default 'Yes'. | Optional | ### Output A JSON object containing results of performing the action. ![](https://files.readme.io/cbcdeda-screenshot-4 "screenshot-4") ## Configure Replication Factor Configures replication and Search factor. Requires a restart of splunkd server daemon. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Replication Factor | Set Cluster Replication Factor. | Required | | Search Factor | Set Cluster Search Factor. **Note**: Search Factor must not be more than the Replication Factor. | Required | ### Output A JSON object containing results of performing the action. ![](https://files.readme.io/5f29907-screenshot-2 "screenshot-2") ## Forward to Splunk index It writes to a particular Splunk index. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Index | [Jinja-templated](doc:jinja-template) text containing an index to write on. Example: {{index_column}}. | Required | | Source | [Jinja-templated](doc:jinja-template) text containing source. Example: {{source_column}. | Optional | | Source Type | [Jinja-templated](doc:jinja-template) text containing source type. Example: {{source_type_column}. | Optional | | Add Hidden Fields | Select True/False for add hidden fields ( "lhub_page_num" and "lhub_id") .(Default value is False). | Optional | ### Output A JSON object containing multiple rows of result: ``` {json}{ "result":"Successfully forwarded to splunk index", "error":null, "has_error":false }

Release Notes

  • v5.1.0 - Added new Query action with performance improvement and no result limit.

  • v5.0.0 - Updated architecture to support IO via filesystem

  • v4.4.0 - Added optional field CA Certificate at connection level to override the default certificate.

  • v4.3.1 - Added new optional fields: app name and user name search to a specific app within a Splunk server in Query action.

  • v4.2.0 - Added new optional field source in an existing action Forward to Splunk Index.