Cisco Splunk

the cisco splunk connector enables seamless integration between swimlane's automation capabilities and splunk's data analytics, providing a robust solution for operational intelligence and security incident management cisco splunk is a powerful platform for searching, monitoring, and analyzing machine generated big data this connector enables swimlane turbine users to automate incident logging, search execution, and data analysis within splunk by integrating with cisco splunk, users can create and manage events, initiate searches, dispatch saved searches, and update notable events directly from swimlane turbine this enhances the efficiency of security operations by streamlining data analysis and incident response workflows limitations none to date supported versions splunk enterprise splunk cloud v1 or v2 endpoints will be called based on the version in the asset configuration defaults to 9 0 1 additional docs splunk's https //docs splunk com/documentation/splunk/latest/restref/restprolog configuration prerequisites to effectively utilize the cisco splunk connector for swimlane turbine, ensure you have the following prerequisites http basic authentication with these parameters url endpoint for the cisco splunk api username your cisco splunk account username password your cisco splunk account password http bearer authentication with these parameters url endpoint for the cisco splunk api token a valid bearer token such as jwt for authentication authentication methods to effectively utilize the cisco splunk connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint for the splunk api username your splunk account username password your splunk account password http bearer https //docs splunk com/documentation/splunk/9 1 1/security/useauthtokens with the following parameters url endpoint for the splunk api token a valid bearer token such as a jwt for authenticating api requests generally, the port must be set to 8089 when connecting to splunk capabilities the cisco splunk connector has the following capabilities create event create search dispatch name saved search edit notable events get saved search get search get search results one shot search run search with polling generic actions that contain the output mode parameter allow for json json output (default) csv csv output xml xml output raw raw output create event create events from the contents contained in the http body the edit tcp capability is additionally required for this endpoint create search this action will not return the search results this action will return the search id it is important that the search might take some time in splunk and might not be immediately available for fetching the results data body examples search for notable events in the last 5 minutes search 'search index=notable earliest= 5m' count http 200 responses grouped by uri path search 'search sourcetype=access combined status=200 | stats count by uri path' lookup data from a csv file search '| inputlookup mylookup' splunk's documentation for this endpoint can be found https //docs splunk com/documentation/splunk/latest/restref/restsearch#search 2fjobs edit notable events splunk's documentation for this endpoint can be found https //docs splunk com/documentation/es/7 3 2/api/notableeventapireference get saved search access the named saved search splunk's documentation for this endpoint can be found https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#saved 2fsearches 2f 7bname 7d get search the user id is implied by the authentication to the call the dispatchstate field can be one of the following values queued parsing running finalizing done pause internal cancel user cancel bad input cancel quit failed splunk's documentation for this endpoint can be found https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#search 2fjobs 2f 7bsearch id 7d get search results the output mode parameter for this action allows for json json output (default) csv csv output xml xml output raw raw output json cols json output with columns json rows json output with rows row row output atom atom output splunks documentation for this endpoint can be found https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#search 2fjobs 2f 7bsearch id 7d 2fresults one shot search this action will run a search and return the results in a single call inputs search retrieve the first 10 events from the internal index search string 'index= internal | head 10 find and count 404 errors by uri path search string 'search sourcetype=access combined status=404 | stats count by uri path' use tstats to count events by host search string '| tstats count where index= by host' add search if set to true, the keyword search will be prepended to your search string unless it already starts with a pipe (|) or another generating command add search true search string 'index=main error' \## the executed search will be 'search index=main error' add search false search string '| inputlookup my lookup table' \## the executed search will be '| inputlookup my lookup table' earliest time and latest time earliest time ' 1h' earliest time '2023 07 01t00 00 00z' app run search in the default search app app 'search' run search in the search & reporting app app 'splunkenterprisesecuritysuite' parse json due to a known splunk issue with malformed json outputs, setting this to true will attempt to correct and parse the json response configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required splunk enterprise version splunk enterprise version to call updated endpoints as from 9 0 1 version, v1 instances of some endpoints are deprecated, and v2 instances of these endpoints are available string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required splunk enterprise version splunk enterprise version to call updated endpoints as from 9 0 1 version, v1 instances of some endpoints are deprecated, and v2 instances of these endpoints are available string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create event creates a new event in cisco splunk for incident logging and tracking with specified output mode endpoint url services/receivers/simple method post input argument name type required description parameters output mode string required parameters for the create event action data body string optional response data input example {"parameters" {"output mode" "json"},"data body" "string"} output parameter type description status code number http status code of the response reason string response reason phrase index string output field index bytes number output field bytes host string output field host source string output field source sourcetype string type of the resource output example {"index" "string","bytes" 123,"host" "string","source" "string","sourcetype" "string"} create search initiates a new search in cisco splunk with the specified output mode, returning the search id for subsequent operations endpoint url services/search/jobs method post input argument name type required description parameters output mode string required parameters for the create search action headers object optional http headers for the request headers content type string optional http headers for the request data body object optional response data data body search string optional response data input example {"headers" {"content type" "application/x www form urlencoded"},"data body" {"search" "search index=notable earliest= 5m"}} output parameter type description status code number http status code of the response reason string response reason phrase links object output field links origin string output field origin updated string output field updated generator object output field generator generator build string output field generator build generator version string output field generator version entry array output field entry entry name string name of the resource entry id string unique identifier entry updated string output field entry updated entry links object output field entry links entry links alternate string output field entry links alternate entry links search telemetry json string output field entry links search telemetry json entry links search log string output field entry links search log entry links events string output field entry links events entry links results string result of the operation entry links results preview string result of the operation entry links timeline string output field entry links timeline entry links summary string output field entry links summary entry links control string output field entry links control entry published string output field entry published entry author string output field entry author entry content object response content output example {"links" {},"origin" "string","updated" "2024 01 01t00 00 00z","generator" {"build" "string","version" "string"},"entry" \[{"name" "example name","id" "12345678 1234 1234 1234 123456789abc","updated" "2024 01 01t00 00 00z","links" {},"published" "string","author" "string","content" {},"acl" {}}],"paging" {"total" 123,"perpage" 123,"offset" 123}} dispatch name saved search executes a predefined saved search in cisco splunk using the provided 'name' path parameter endpoint url /services/saved/searches/{{name}}/dispatch method post input argument name type required description data body object required response data data body args index name string optional arg values to create a saved search is the saved search if a template search data body dispatchas string optional indicate the user context, quota, and access rights for the saved search the saved search runs according to the context indicated data body dispatch now boolean optional dispatch the search as if the specified time for this parameter was the current time data body dispatch adhoc search level string optional the level of adhoc search to run the default is smart, which runs the search at the level specified in the saved search data body force dispatch boolean optional indicates whether to start a new search even if another instance of this search is already running data body trigger actions string optional indicates whether to trigger alert actions data body replay speed number optional indicate a real time search replay speed factor for example, 1 indicates normal speed 0 5 indicates half of normal speed, and 2 indicates twice as fast as normal earliest time and latest time arguments must indicate a real time time range to use replay options data body replay et string optional relative "wall clock" start time for the replay data body replay lt string optional relative end time for the replay clock the replay stops when clock time reaches this time path parameters name string required the name of the saved search to dispatch input example {"data body" {"args index name" "my index","dispatchas" "owner","dispatch now"\ true,"dispatch adhoc search level" "smart","force dispatch"\ true,"trigger actions" "true","replay speed" 2,"replay et" " 1d\@d","replay lt" " \@d"},"path parameters" {"name" "mysavedsearch"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} edit notable event update existing notable events in cisco splunk with specified details using the provided data body endpoint url services/notable update method post input argument name type required description data body object required response data data body ruleuids array required response data data body searchid string optional response data data body newowner string optional response data data body urgency string optional response data data body status string optional response data data body comment string optional response data data body disposition string optional an id for a disposition that matches a disposition in the reviewstatuses conf configuration file required only if you are changing the disposition of the event input example {"data body" {"ruleuids" \["29439fbc ffcb 45ff 93c2 420202012e1e","38439bbc eecb 44ff 91c2 420121a12e12"],"searchid" "an example search id","newowner" "an example owner","urgency" "an example urgency","status" "an example status","comment" "an example comment","disposition" "disposition 2"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message failure count number count value success boolean whether the operation was successful success count number whether the operation was successful output example {"status code" 200,"response headers" {"date" "mon, 17 jul 2023 20 53 02 gmt","expires" "thu, 26 oct 1978 00 00 00 gmt","cache control" "no store, no cache, must revalidate, max age=0","content type" "application/json; charset=utf 8","x content type options" "nosniff","transfer encoding" "chunked","content encoding" "gzip","vary" "accept encoding, cookie, authorization","connection" "keep alive","x frame options" "sameorigin","server" "splunkd"},"reason" "ok","json body" {"message" "","failure c get saved search retrieves a formatted saved search from cisco splunk using the 'name' and 'output mode' parameters endpoint url services/saved/searches/{{name}} method get input argument name type required description parameters output mode string required parameters for the get saved search action path parameters name string required parameters for the get saved search action input example {"parameters" {"output mode" "json"},"path parameters" {"name" "example name"}} output parameter type description status code number http status code of the response reason string response reason phrase links object output field links links create string output field links create links reload string output field links reload links acl string output field links acl origin string output field origin updated string output field updated generator object output field generator generator build string output field generator build generator version string output field generator version entry array output field entry entry name string name of the resource entry id string unique identifier entry updated string output field entry updated entry links object output field entry links entry links alternate string output field entry links alternate entry links list string output field entry links list entry links reload string output field entry links reload entry links edit string output field entry links edit entry links acknowledge string output field entry links acknowledge entry links disable string output field entry links disable entry links dispatch string output field entry links dispatch entry links embed string output field entry links embed entry links history string output field entry links history output example {"links" {"create" "string"," reload" "string"," acl" "string"},"origin" "string","updated" "2024 01 01t00 00 00z","generator" {"build" "string","version" "string"},"entry" \[{"name" "example name","id" "12345678 1234 1234 1234 123456789abc","updated" "2024 01 01t00 00 00z","links" {},"author" "string","acl" {},"fields" {},"content" {}}],"paging" {"total" 123,"perpage" 123,"offset" 123},"messages" \[{"file name" "example name","file" "string"}]} get search obtain results for a specific search in cisco splunk using the provided search id and selected output mode endpoint url services/search/jobs/{{search id}} method get input argument name type required description parameters output mode string required parameters for the get search action path parameters search id string required parameters for the get search action input example {"parameters" {"output mode" "json"},"path parameters" {"search id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase links object output field links origin string output field origin updated string output field updated generator object output field generator generator build string output field generator build generator version string output field generator version entry array output field entry entry name string name of the resource entry id string unique identifier entry updated string output field entry updated entry links object output field entry links entry links alternate string output field entry links alternate entry links search telemetry json string output field entry links search telemetry json entry links search log string output field entry links search log entry links events string output field entry links events entry links results string result of the operation entry links results preview string result of the operation entry links timeline string output field entry links timeline entry links summary string output field entry links summary entry links control string output field entry links control entry published string output field entry published entry author string output field entry author entry content object response content output example {"links" {},"origin" "string","updated" "2024 01 01t00 00 00z","generator" {"build" "string","version" "string"},"entry" \[{"name" "example name","id" "12345678 1234 1234 1234 123456789abc","updated" "2024 01 01t00 00 00z","links" {},"published" "string","author" "string","content" {},"acl" {}}],"paging" {"total" 123,"perpage" 123,"offset" 123}} get search results obtain the results of a specified search in cisco splunk using the provided search id and output mode input argument name type required description output mode string required parameter for get search results search id string required unique identifier count number optional the maximum number of results to return offset number optional the first result from which to begin returning data input example {"output mode" "json","search id" "1707831160 17704","count" 10,"offset" 0} output parameter type description status code number http status code of the response reason string response reason phrase messages array response message messages type string type of the resource messages text string response message output example {"messages" \[{"type" "string","text" "string"}]} one shot search performs a one time search in cisco splunk using a specified string and imports the results directly into swimlane records a 'search string' is required input argument name type required description search string string required splunk search query eg index= internal head 10 add search boolean optional if true 'search' will be added to the start of the search string false will leave the 'search' prefix defaults to 'true' earliest time string optional this can be any standard datetime format supported by pendulum or a relative datetime format example is 2020 01 18t18 34 04z or 1h latest time string optional this can be any standard datetime format supported by pendulum or a relative datetime format example is 2020 01 18t18 34 04z 1h owner string optional the owner's splunk username eg admin app string optional the app to run the search in eg search parse json boolean optional splunk has a know bug that causes the json to be malformed this will attempt to fix the json before parsing it defaults to true latest result head boolean optional returns the first result of response latest result tail boolean optional returns the last result of response input example {"search string" "string","add search"\ true,"earliest time" "string","latest time" "string","owner" "string","app" "string","parse json"\ true,"latest result head"\ true,"latest result tail"\ true} output parameter type description status code number http status code of the response reason string response reason phrase output example {"json body" \[{" bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43"," cd" "347 962465689"," indextime" "1688236453"," raw" "{\\"attributes\\" {\\"logging googleapis com/timestamp\\" \\"2023 07 01t18 34 03 14z\\"},\\"publish time\\" 1593195281 507,\\"data\\" {\\"insertid\\" \\"bnn247d1uuw\\",\\"protopayload\\" {\\"resourcename\\" \\"projects/344444931094/zones/<#token region#>/instances/<#token instance name#>\\",\\"authenticationinfo\\" {\\"principalemail\\" \\"gsa labs2\@splunk com\\"},\\"servicename\\" \\"compute googlea run search with polling executes and polls a long running search in cisco splunk until completion or timeout, using the specified 'search string' endpoint url /services/search/jobs method post input argument name type required description search string string required the splunk search query string to run example index= internal head 10 output mode string optional parameter for run search with polling add search boolean optional if true, prepends 'search' to the search string automatically default is true timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) poll interval integer optional interval in seconds between each status check default is 10 seconds count number optional the maximum number of results to return offset number optional the first result from which to begin returning data input example {"count" 10,"offset" 0} output parameter type description status code number http status code of the response reason string response reason phrase preview boolean output field preview init offset number output field init offset post process count number count value messages array response message messages type string type of the resource messages text string response message results array result of the operation output example {"status code" 200,"response headers" {"date" "wed, 04 jun 2025 08 50 29 gmt","expires" "thu, 26 oct 1978 00 00 00 gmt","cache control" "no store, no cache, must revalidate, max age=0","content type" "application/json; charset=utf 8","x content type options" "nosniff","link" "< /1749027018 39126>; rel=info","content length" "166","vary" "cookie, authorization","connection" "keep alive","x frame options" "sameorigin","server" "splunkd"},"reason" "ok","json body" {"preview"\ false,"init offset" 0, response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate, max age=0 connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 166 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated mon, 17 jul 2023 20 53 02 gmt expires the date/time after which the response is considered stale thu, 26 oct 1978 00 00 00 gmt link http response header link < /1749027018 39126>; rel=info server information about the software used by the origin server splunkd transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding, cookie, authorization x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin