Cisco Splunk

59 min

the cisco splunk connector enables seamless integration between swimlane's automation capabilities and splunk's data analytics, providing a robust solution for operational intelligence and security incident management cisco splunk is a powerful platform for searching, monitoring, and analyzing machine generated big data this connector enables swimlane turbine users to automate incident logging, search execution, and data analysis within splunk by integrating with cisco splunk, users can create and manage events, initiate searches, dispatch saved searches, and update notable events directly from swimlane turbine this enhances the efficiency of security operations by streamlining data analysis and incident response workflows limitations none to date supported versions splunk enterprise splunk cloud v1 or v2 endpoints will be called based on the version in the asset configuration defaults to 9 0 1 additional docs splunk's rest api reference https //docs splunk com/documentation/splunk/latest/restref/restprolog configuration prerequisites to effectively utilize the cisco splunk connector for swimlane turbine, ensure you have the following prerequisites http basic authentication with these parameters url endpoint for the cisco splunk api username your cisco splunk account username password your cisco splunk account password http bearer authentication with these parameters url endpoint for the cisco splunk api token a valid bearer token such as jwt for authentication authentication methods to effectively utilize the cisco splunk connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url endpoint for the splunk api username your splunk account username password your splunk account password http bearer token authentication https //docs splunk com/documentation/splunk/9 1 1/security/useauthtokens with the following parameters url endpoint for the splunk api token a valid bearer token such as a jwt for authenticating api requests generally, the port must be set to 8089 when connecting to splunk capabilities the cisco splunk connector has the following capabilities create event create search dispatch name saved search edit notable events get saved search get search get search results one shot search run search with polling generic actions that contain the output mode parameter allow for json json output (default) csv csv output xml xml output raw raw output create event create events from the contents contained in the http body the edit tcp capability is additionally required for this endpoint create search this action will not return the search results this action will return the search id it is important that the search might take some time in splunk and might not be immediately available for fetching the results data body examples search for notable events in the last 5 minutes search 'search index=notable earliest= 5m' count http 200 responses grouped by uri path search 'search sourcetype=access combined status=200 | stats count by uri path' lookup data from a csv file search '| inputlookup mylookup' splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/latest/restref/restsearch#search 2fjobs edit notable events splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/es/7 3 2/api/notableeventapireference get saved search access the named saved search splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#saved 2fsearches 2f 7bname 7d get search the user id is implied by the authentication to the call the dispatchstate field can be one of the following values queued parsing running finalizing done pause internal cancel user cancel bad input cancel quit failed splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#search 2fjobs 2f 7bsearch id 7d get search results the output mode parameter for this action allows for json json output (default) csv csv output xml xml output raw raw output json cols json output with columns json rows json output with rows row row output atom atom output splunks documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#search 2fjobs 2f 7bsearch id 7d 2fresults one shot search this action will run a search and return the results in a single call inputs search retrieve the first 10 events from the internal index search string 'index= internal | head 10 find and count 404 errors by uri path search string 'search sourcetype=access combined status=404 | stats count by uri path' use tstats to count events by host search string '| tstats count where index= by host' add search if set to true, the keyword search will be prepended to your search string unless it already starts with a pipe (|) or another generating command add search true search string 'index=main error' \## the executed search will be 'search index=main error' add search false search string '| inputlookup my lookup table' \## the executed search will be '| inputlookup my lookup table' earliest time and latest time earliest time ' 1h' earliest time '2023 07 01t00 00 00z' app run search in the default search app app 'search' run search in the search & reporting app app 'splunkenterprisesecuritysuite' parse json due to a known splunk issue with malformed json outputs, setting this to true will attempt to correct and parse the json response configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required splunk enterprise version splunk enterprise version to call updated endpoints as from 9 0 1 version, v1 instances of some endpoints are deprecated, and v2 instances of these endpoints are available string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required splunk enterprise version splunk enterprise version to call updated endpoints as from 9 0 1 version, v1 instances of some endpoints are deprecated, and v2 instances of these endpoints are available string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create event creates a new event in cisco splunk for incident logging and tracking with specified output mode endpoint url services/receivers/simple method post input argument name type required description output mode string required parameter for create event data body string optional response data output parameter type description status code number http status code of the response reason string response reason phrase index string output field index bytes number output field bytes host string output field host source string output field source sourcetype string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "index" "string", "bytes" 123, "host" "string", "source" "string", "sourcetype" "string" } } ] create search initiates a new search in cisco splunk with the specified output mode, returning the search id for subsequent operations endpoint url services/search/jobs method post input argument name type required description output mode string required parameter for create search headers object optional http headers for the request content type string optional type of the resource data body object optional response data search string optional parameter for create search output parameter type description status code number http status code of the response reason string response reason phrase links object output field links origin string output field origin updated string output field updated generator object output field generator build string output field build version string output field version entry array output field entry name string name of the resource id string unique identifier updated string output field updated links object output field links alternate string output field alternate search telemetry json string output field search telemetry json search log string output field search log events string output field events results string result of the operation results preview string result of the operation timeline string output field timeline summary string output field summary control string output field control published string output field published author string output field author content object response content example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "links" {}, "origin" "string", "updated" "2024 01 01t00 00 00z", "generator" {}, "entry" \[], "paging" {} } } ] dispatch name saved search executes a predefined saved search in cisco splunk using the provided 'name' path parameter endpoint url /services/saved/searches/{{name}}/dispatch method post input argument name type required description data body object required response data args index name string optional arg values to create a saved search is the saved search if a template search dispatchas string optional indicate the user context, quota, and access rights for the saved search the saved search runs according to the context indicated dispatch now boolean optional dispatch the search as if the specified time for this parameter was the current time dispatch adhoc search level string optional the level of adhoc search to run the default is smart, which runs the search at the level specified in the saved search force dispatch boolean optional indicates whether to start a new search even if another instance of this search is already running trigger actions string optional indicates whether to trigger alert actions replay speed number optional indicate a real time search replay speed factor for example, 1 indicates normal speed 0 5 indicates half of normal speed, and 2 indicates twice as fast as normal earliest time and latest time arguments must indicate a real time time range to use replay options replay et string optional relative "wall clock" start time for the replay replay lt string optional relative end time for the replay clock the replay stops when clock time reaches this time name string required the name of the saved search to dispatch output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] edit notable event update existing notable events in cisco splunk with specified details using the provided data body endpoint url services/notable update method post input argument name type required description data body object required response data ruleuids array required unique identifier searchid string optional unique identifier newowner string optional parameter for edit notable event urgency string optional parameter for edit notable event status string optional status value comment string optional parameter for edit notable event disposition string optional an id for a disposition that matches a disposition in the reviewstatuses conf configuration file required only if you are changing the disposition of the event output parameter type description status code number http status code of the response reason string response reason phrase message string response message failure count number count value success boolean whether the operation was successful success count number whether the operation was successful example \[ { "status code" 200, "response headers" { "date" "mon, 17 jul 2023 20 53 02 gmt", "expires" "thu, 26 oct 1978 00 00 00 gmt", "cache control" "no store, no cache, must revalidate, max age=0", "content type" "application/json; charset=utf 8", "x content type options" "nosniff", "transfer encoding" "chunked", "content encoding" "gzip", "vary" "accept encoding, cookie, authorization", "connection" "keep alive", "x frame options" "sameorigin", "server" "splunkd" }, "reason" "ok", "json body" { "message" "", "failure count" 0, "success" true, "success count" 2 } } ] get saved search retrieves a formatted saved search from cisco splunk using the 'name' and 'output mode' parameters endpoint url services/saved/searches/{{name}} method get input argument name type required description output mode string required parameter for get saved search name string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase links object output field links create string output field create reload string output field reload acl string output field acl origin string output field origin updated string output field updated generator object output field generator build string output field build version string output field version entry array output field entry name string name of the resource id string unique identifier updated string output field updated links object output field links alternate string output field alternate list string output field list reload string output field reload edit string output field edit acknowledge string output field acknowledge disable string output field disable dispatch string output field dispatch embed string output field embed history string output field history example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "links" {}, "origin" "string", "updated" "2024 01 01t00 00 00z", "generator" {}, "entry" \[], "paging" {}, "messages" \[] } } ] get search obtain results for a specific search in cisco splunk using the provided search id and selected output mode endpoint url services/search/jobs/{{search id}} method get input argument name type required description output mode string required parameter for get search search id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase links object output field links origin string output field origin updated string output field updated generator object output field generator build string output field build version string output field version entry array output field entry name string name of the resource id string unique identifier updated string output field updated links object output field links alternate string output field alternate search telemetry json string output field search telemetry json search log string output field search log events string output field events results string result of the operation results preview string result of the operation timeline string output field timeline summary string output field summary control string output field control published string output field published author string output field author content object response content example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "links" {}, "origin" "string", "updated" "2024 01 01t00 00 00z", "generator" {}, "entry" \[], "paging" {} } } ] get search results obtain the results of a specified search in cisco splunk using the provided search id and output mode input argument name type required description output mode string required parameter for get search results search id string required unique identifier count number optional the maximum number of results to return offset number optional the first result from which to begin returning data output parameter type description status code number http status code of the response reason string response reason phrase messages array response message type string type of the resource text string output field text example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "messages" \[] } } ] one shot search performs a one time search in cisco splunk using a specified string and imports the results directly into swimlane records a 'search string' is required input argument name type required description search string string required splunk search query eg index= internal head 10 add search boolean optional if true 'search' will be added to the start of the search string false will leave the 'search' prefix defaults to 'true' earliest time string optional this can be any standard datetime format supported by pendulum or a relative datetime format example is 2020 01 18t18 34 04z or 1h latest time string optional this can be any standard datetime format supported by pendulum or a relative datetime format example is 2020 01 18t18 34 04z 1h owner string optional the owner's splunk username eg admin app string optional the app to run the search in eg search parse json boolean optional splunk has a know bug that causes the json to be malformed this will attempt to fix the json before parsing it defaults to true latest result head boolean optional returns the first result of response latest result tail boolean optional returns the last result of response output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "json body" \[ { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962465689", " indextime" "1688236453", " raw" "{\\"attributes\\" {\\"logging googleapis com/timestamp\\" \\"2023 07 01t18 34 03 14z\\"},\\"publish time\\" 1593195281 507,\\"data\\" {\\"insertid\\" \\"bnn247d1uuw\\",\\"protopayload\\" {\\"resourcename\\" \\"projects/344444931094/zones/<#token region#>/instances/<#token instance name#>\\",\\"authenticationinfo\\" {\\"principalemail\\" \\"gsa labs2\@splunk com\\"},\\"servicename\\" \\"compute googleapis com\\",\\"request\\" {\\"@type\\" \\"type googleapis com/compute instances insert\\"},\\"@type\\" \\"type googleapis com/google cloud audit auditlog\\",\\"requestmetadata\\" {\\"callersupplieduseragent\\" \\"gce managed instance group\\"},\\"methodname\\" \\"v1 compute instances insert\\"},\\"operation\\" {\\"last\\"\ true,\\"id\\" \\"operation 1593195275250 5a900ae706aac 9dd8bd24 20ca32d0\\",\\"producer\\" \\"compute googleapis com\\"},\\"timestamp\\" \\"2023 07 01t18 34 03\\",\\"receivetimestamp\\" \\"2023 07 01t18 34 03 000000305578z\\",\\"resource\\" {\\"labels\\" {\\"instance id\\" \\"1129295029103986148\\",\\"project id\\" \\"refined copilot 275702\\",\\"zone\\" \\"<#token region#>\\"},\\"type\\" \\"gce instance\\"},\\"logname\\" \\"projects/refined copilot 275702/logs/cloudaudit googleapis com%2factivity\\",\\"severity\\" \\"notice\\"}}\n", " serial" "0", " si" \[ "splunk813", "main" ], " sourcetype" "google\ gcp\ pubsub\ audit", " subsecond" " 14", " time" "2023 07 01 18 34 03 140 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "google gcp pubsub audit instances eventgen", "sourcetype" "google\ gcp\ pubsub\ audit", "splunk server" "splunk813" }, { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962471023", " indextime" "1688236457", " raw" "{\\"name\\" \\"475462518164251999999999 ebabb804 6b04 47546 b8ff a27742ca3fb7\\",\\"type\\" \\"microsoft security/locations/alerts\\",\\"id\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft security/locations/uksouth/alerts/475462518164251999999999 ebabb804 6b04 47546 b8ff a27742ca3fb7\\",\\"properties\\" {\\"alertname\\" \\"network trafficfromunrecommendedip\\",\\"confidencereasons\\" \[],\\"subscriptionid\\" \\"475461213b189 13ff 42fe b370 df6da421bce1\\",\\"entities\\" \[{\\"type\\" \\"azure resource\\",\\"resourceid\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\",\\"$id\\" \\"uksouth 1\\"},{\\"type\\" \\"host\\",\\"$id\\" \\"uksouth 2\\",\\"azureid\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\"},{\\"address\\" \\"216 223 104 50\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 32 04583,\\"state\\" \\"jiangsu\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 118 78417,\\"city\\" \\"nanjing\\",\\"asn\\" 23650},\\"$id\\" \\"uksouth 3\\"},{\\"address\\" \\"92 88 112 115\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 31 17389,\\"state\\" \\"shanghaishi\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 121 41498,\\"city\\" \\"xuhuiqu\\",\\"asn\\" 4134},\\"$id\\" \\"uksouth 4\\"}],\\"workspacearmid\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/defaultresourcegroup cus/providers/microsoft operationalinsights/workspaces/defaultworkspace 475461213b189 13ff 42fe b370 df6da421bce1 cus\\",\\"canbeinvestigated\\"\ true,\\"associatedresource\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\",\\"reportedtimeutc\\" \\"2023 07 01t18 34 03\\",\\"extendedproperties\\" {\\"protocol\\" \\"tcp\\",\\"resourcetype\\" \\"virtualmachine\\",\\"destinationport\\" \\"22\\",\\"investigationsteps\\" \\"1 reviewtheipaddressesanddetermineiftheyshouldbecommunicatingwiththevirtualmachine\\\r\\\n2 enforcethehardeningrulerecommendedbysecuritycenterwhichwillallowaccessonlytorecommendedipaddresses youcanedittherule'spropertiesandchangetheipaddressestobeallowed,oralternativelyeditthenetworksecuritygroup'srulesdirectly\\",\\"sourceip(s)\[#attempts]\\" \\"ip 216 223 104 50\[1]\\\r\\\nip 92 88 112 115\[1]\\"},\\"reportedseverity\\" \\"low\\",\\"state\\" \\"active\\",\\"instanceid\\" \\"ebabb804 6b04 47546 b8ff a27742ca3fb7\\",\\"alertdisplayname\\" \\"trafficdetectedfromipaddressesrecommendedforblocking\\",\\"isincident\\"\ false,\\"actiontaken\\" \\"undefined\\",\\"description\\" \\"azuresecuritycenterdetectedinboundtrafficfromipaddressesthatarerecommendedtobeblocked thistypicallyoccurswhenthisipaddressdoesn'tcommunicateregularlywiththisresource \\\r\\\nalternatively,theipaddresshasbeenflaggedasmaliciousbysecuritycenter'sthreatintelligencesources \\",\\"remediationsteps\\" \\"{\\\\\\"kind\\\\\\" \\\\\\"openblade\\\\\\",\\\\\\"displayvalue\\\\\\" \\\\\\"enforcerule\\\\\\",\\\\\\"extension\\\\\\" \\\\\\"microsoft azure security r3\\\\\\",\\\\\\"detailblade\\\\\\" \\\\\\"adaptivenetworkcontrolsresourceblade\\\\\\",\\\\\\"detailbladeinputs\\\\\\" \\\\\\"protectedresourceid=/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\\\\\"}\\",\\"compromisedentity\\" \\"splunkhf047546\\",\\"vendorname\\" \\"microsoft\\",\\"detectedtimeutc\\" \\"2023 07 01t18 34 03\\"}}\n", " serial" "1", " si" \[ "splunk813", "main" ], " sourcetype" "azure\ securitycenter\ alert", " time" "2023 07 01 18 34 03 000 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "azure securitycenter alert eventgen", "sourcetype" "azure\ securitycenter\ alert", "splunk server" "splunk813" }, { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962469982", " indextime" "1688236457", " raw" "{\\"name\\" \\"420352518164251999999999 ebabb804 6b04 42035 b8ff a27742ca3fb7\\",\\"type\\" \\"microsoft security/locations/alerts\\",\\"id\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft security/locations/westus/alerts/420352518164251999999999 ebabb804 6b04 42035 b8ff a27742ca3fb7\\",\\"properties\\" {\\"alertname\\" \\"network trafficfromunrecommendedip\\",\\"confidencereasons\\" \[],\\"subscriptionid\\" \\"420351213b189 13ff 42fe b370 df6da421bce1\\",\\"entities\\" \[{\\"type\\" \\"azure resource\\",\\"resourceid\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\",\\"$id\\" \\"westus 1\\"},{\\"type\\" \\"host\\",\\"$id\\" \\"westus 2\\",\\"azureid\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\"},{\\"address\\" \\"107 184 36 92\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 32 04583,\\"state\\" \\"jiangsu\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 118 78417,\\"city\\" \\"nanjing\\",\\"asn\\" 23650},\\"$id\\" \\"westus 3\\"},{\\"address\\" \\"92 88 112 115\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 31 17389,\\"state\\" \\"shanghaishi\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 121 41498,\\"city\\" \\"xuhuiqu\\",\\"asn\\" 4134},\\"$id\\" \\"westus 4\\"}],\\"workspacearmid\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/defaultresourcegroup cus/providers/microsoft operationalinsights/workspaces/defaultworkspace 420351213b189 13ff 42fe b370 df6da421bce1 cus\\",\\"canbeinvestigated\\"\ true,\\"associatedresource\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\",\\"reportedtimeutc\\" \\"2023 07 01t18 34 03\\",\\"extendedproperties\\" {\\"protocol\\" \\"tcp\\",\\"resourcetype\\" \\"virtualmachine\\",\\"destinationport\\" \\"22\\",\\"investigationsteps\\" \\"1 reviewtheipaddressesanddetermineiftheyshouldbecommunicatingwiththevirtualmachine\\\r\\\n2 enforcethehardeningrulerecommendedbysecuritycenterwhichwillallowaccessonlytorecommendedipaddresses youcanedittherule'spropertiesandchangetheipaddressestobeallowed,oralternativelyeditthenetworksecuritygroup'srulesdirectly\\",\\"sourceip(s)\[#attempts]\\" \\"ip 107 184 36 92\[1]\\\r\\\nip 92 88 112 115\[1]\\"},\\"reportedseverity\\" \\"low\\",\\"state\\" \\"active\\",\\"instanceid\\" \\"ebabb804 6b04 42035 b8ff a27742ca3fb7\\",\\"alertdisplayname\\" \\"trafficdetectedfromipaddressesrecommendedforblocking\\",\\"isincident\\"\ false,\\"actiontaken\\" \\"undefined\\",\\"description\\" \\"azuresecuritycenterdetectedinboundtrafficfromipaddressesthatarerecommendedtobeblocked thistypicallyoccurswhenthisipaddressdoesn'tcommunicateregularlywiththisresource \\\r\\\nalternatively,theipaddresshasbeenflaggedasmaliciousbysecuritycenter'sthreatintelligencesources \\",\\"remediationsteps\\" \\"{\\\\\\"kind\\\\\\" \\\\\\"openblade\\\\\\",\\\\\\"displayvalue\\\\\\" \\\\\\"enforcerule\\\\\\",\\\\\\"extension\\\\\\" \\\\\\"microsoft azure security r3\\\\\\",\\\\\\"detailblade\\\\\\" \\\\\\"adaptivenetworkcontrolsresourceblade\\\\\\",\\\\\\"detailbladeinputs\\\\\\" \\\\\\"protectedresourceid=/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\\\\\"}\\",\\"compromisedentity\\" \\"splunkhf042035\\",\\"vendorname\\" \\"microsoft\\",\\"detectedtimeutc\\" \\"2023 07 01t18 34 03\\"}}\n", " serial" "2", " si" \[ "splunk813", "main" ], " sourcetype" "azure\ securitycenter\ alert", " time" "2023 07 01 18 34 03 000 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "azure securitycenter alert eventgen", "sourcetype" "azure\ securitycenter\ alert", "splunk server" "splunk813" } ], "status code" 200, "response headers" { "date" "mon, 17 jul 2023 20 53 02 gmt", "expires" "thu, 26 oct 1978 00 00 00 gmt", "cache control" "no store, no cache, must revalidate, max age=0", "content type" "application/json; charset=utf 8", "x content type options" "nosniff", "transfer encoding" "chunked", "content encoding" "gzip", "vary" "accept encoding, cookie, authorization", "connection" "keep alive", "x frame options" "sameorigin", "server" "splunkd" }, "reason" "ok" } ] run search with polling executes and polls a long running search in cisco splunk until completion or timeout, using the specified 'search string' endpoint url /services/search/jobs method post input argument name type required description search string string required the splunk search query string to run example index= internal head 10 output mode string optional parameter for run search with polling add search boolean optional if true, prepends 'search' to the search string automatically default is true timeout integer optional maximum number of seconds to wait for the search to complete before timing out default is 600 seconds (10 minutes) poll interval integer optional interval in seconds between each status check default is 10 seconds count number optional the maximum number of results to return offset number optional the first result from which to begin returning data output parameter type description status code number http status code of the response reason string response reason phrase preview boolean output field preview init offset number output field init offset post process count number count value messages array response message type string type of the resource text string output field text results array result of the operation example \[ { "status code" 200, "response headers" { "date" "wed, 04 jun 2025 08 50 29 gmt", "expires" "thu, 26 oct 1978 00 00 00 gmt", "cache control" "no store, no cache, must revalidate, max age=0", "content type" "application/json; charset=utf 8", "x content type options" "nosniff", "link" "< /1749027018 39126>; rel=info", "content length" "166", "vary" "cookie, authorization", "connection" "keep alive", "x frame options" "sameorigin", "server" "splunkd" }, "reason" "ok", "json body" { "preview" false, "init offset" 0, "post process count" 0, "messages" \[], "results" \[] } } ] response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate, max age=0 connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 166 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt expires the date/time after which the response is considered stale thu, 26 oct 1978 00 00 00 gmt link http response header link < /1749027018 39126>; rel=info server information about the software used by the origin server splunkd transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding, cookie, authorization x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin