One-shot Search

5 min

description performs a one time search in cisco splunk with a specified string and imports results into swimlane records requires 'search string' inputs search string (string) – required splunk search query eg index= internal | head 10 add search (boolean) if true 'search' will be added to the start of the search string false will leave the 'search' prefix defaults to 'true' earliest time (string) this can be any standard datetime format supported by pendulum or a relative datetime format example is 2020 01 18t18 34 04z or 1h latest time (string) this can be any standard datetime format supported by pendulum or a relative datetime format example is 2020 01 18t18 34 04z 1h owner (string) the owner's splunk username eg admin app (string) the app to run the search in eg search parse json (boolean) splunk has a know bug that causes the json to be malformed this will attempt to fix the json before parsing it defaults to true latest result head (boolean) returns the first result of response latest result tail (boolean) returns the last result of response output example \[ { "json body" \[ { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962465689", " indextime" "1688236453", " raw" "{\\"attributes\\" {\\"logging googleapis com/timestamp\\" \\"2023 07 01t18 34 03 14z\\"},\\"publish time\\" 1593195281 507,\\"data\\" {\\"insertid\\" \\"bnn247d1uuw\\",\\"protopayload\\" {\\"resourcename\\" \\"projects/344444931094/zones/<#token region#>/instances/<#token instance name#>\\",\\"authenticationinfo\\" {\\"principalemail\\" \\"gsa labs2\@splunk com\\"},\\"servicename\\" \\"compute googleapis com\\",\\"request\\" {\\"@type\\" \\"type googleapis com/compute instances insert\\"},\\"@type\\" \\"type googleapis com/google cloud audit auditlog\\",\\"requestmetadata\\" {\\"callersupplieduseragent\\" \\"gce managed instance group\\"},\\"methodname\\" \\"v1 compute instances insert\\"},\\"operation\\" {\\"last\\"\ true,\\"id\\" \\"operation 1593195275250 5a900ae706aac 9dd8bd24 20ca32d0\\",\\"producer\\" \\"compute googleapis com\\"},\\"timestamp\\" \\"2023 07 01t18 34 03\\",\\"receivetimestamp\\" \\"2023 07 01t18 34 03 000000305578z\\",\\"resource\\" {\\"labels\\" {\\"instance id\\" \\"1129295029103986148\\",\\"project id\\" \\"refined copilot 275702\\",\\"zone\\" \\"<#token region#>\\"},\\"type\\" \\"gce instance\\"},\\"logname\\" \\"projects/refined copilot 275702/logs/cloudaudit googleapis com%2factivity\\",\\"severity\\" \\"notice\\"}}\n", " serial" "0", " si" \[ "splunk813", "main" ], " sourcetype" "google\ gcp\ pubsub\ audit", " subsecond" " 14", " time" "2023 07 01 18 34 03 140 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "google gcp pubsub audit instances eventgen", "sourcetype" "google\ gcp\ pubsub\ audit", "splunk server" "splunk813" }, { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962471023", " indextime" "1688236457", " raw" "{\\"name\\" \\"475462518164251999999999 ebabb804 6b04 47546 b8ff a27742ca3fb7\\",\\"type\\" \\"microsoft security/locations/alerts\\",\\"id\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft security/locations/uksouth/alerts/475462518164251999999999 ebabb804 6b04 47546 b8ff a27742ca3fb7\\",\\"properties\\" {\\"alertname\\" \\"network trafficfromunrecommendedip\\",\\"confidencereasons\\" \[],\\"subscriptionid\\" \\"475461213b189 13ff 42fe b370 df6da421bce1\\",\\"entities\\" \[{\\"type\\" \\"azure resource\\",\\"resourceid\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\",\\"$id\\" \\"uksouth 1\\"},{\\"type\\" \\"host\\",\\"$id\\" \\"uksouth 2\\",\\"azureid\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\"},{\\"address\\" \\"216 223 104 50\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 32 04583,\\"state\\" \\"jiangsu\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 118 78417,\\"city\\" \\"nanjing\\",\\"asn\\" 23650},\\"$id\\" \\"uksouth 3\\"},{\\"address\\" \\"92 88 112 115\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 31 17389,\\"state\\" \\"shanghaishi\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 121 41498,\\"city\\" \\"xuhuiqu\\",\\"asn\\" 4134},\\"$id\\" \\"uksouth 4\\"}],\\"workspacearmid\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/defaultresourcegroup cus/providers/microsoft operationalinsights/workspaces/defaultworkspace 475461213b189 13ff 42fe b370 df6da421bce1 cus\\",\\"canbeinvestigated\\"\ true,\\"associatedresource\\" \\"/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\",\\"reportedtimeutc\\" \\"2023 07 01t18 34 03\\",\\"extendedproperties\\" {\\"protocol\\" \\"tcp\\",\\"resourcetype\\" \\"virtualmachine\\",\\"destinationport\\" \\"22\\",\\"investigationsteps\\" \\"1 reviewtheipaddressesanddetermineiftheyshouldbecommunicatingwiththevirtualmachine\\\r\\\n2 enforcethehardeningrulerecommendedbysecuritycenterwhichwillallowaccessonlytorecommendedipaddresses youcanedittherule'spropertiesandchangetheipaddressestobeallowed,oralternativelyeditthenetworksecuritygroup'srulesdirectly\\",\\"sourceip(s)\[#attempts]\\" \\"ip 216 223 104 50\[1]\\\r\\\nip 92 88 112 115\[1]\\"},\\"reportedseverity\\" \\"low\\",\\"state\\" \\"active\\",\\"instanceid\\" \\"ebabb804 6b04 47546 b8ff a27742ca3fb7\\",\\"alertdisplayname\\" \\"trafficdetectedfromipaddressesrecommendedforblocking\\",\\"isincident\\"\ false,\\"actiontaken\\" \\"undefined\\",\\"description\\" \\"azuresecuritycenterdetectedinboundtrafficfromipaddressesthatarerecommendedtobeblocked thistypicallyoccurswhenthisipaddressdoesn'tcommunicateregularlywiththisresource \\\r\\\nalternatively,theipaddresshasbeenflaggedasmaliciousbysecuritycenter'sthreatintelligencesources \\",\\"remediationsteps\\" \\"{\\\\\\"kind\\\\\\" \\\\\\"openblade\\\\\\",\\\\\\"displayvalue\\\\\\" \\\\\\"enforcerule\\\\\\",\\\\\\"extension\\\\\\" \\\\\\"microsoft azure security r3\\\\\\",\\\\\\"detailblade\\\\\\" \\\\\\"adaptivenetworkcontrolsresourceblade\\\\\\",\\\\\\"detailbladeinputs\\\\\\" \\\\\\"protectedresourceid=/subscriptions/475461213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf047546\\\\\\"}\\",\\"compromisedentity\\" \\"splunkhf047546\\",\\"vendorname\\" \\"microsoft\\",\\"detectedtimeutc\\" \\"2023 07 01t18 34 03\\"}}\n", " serial" "1", " si" \[ "splunk813", "main" ], " sourcetype" "azure\ securitycenter\ alert", " time" "2023 07 01 18 34 03 000 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "azure securitycenter alert eventgen", "sourcetype" "azure\ securitycenter\ alert", "splunk server" "splunk813" }, { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962469982", " indextime" "1688236457", " raw" "{\\"name\\" \\"420352518164251999999999 ebabb804 6b04 42035 b8ff a27742ca3fb7\\",\\"type\\" \\"microsoft security/locations/alerts\\",\\"id\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft security/locations/westus/alerts/420352518164251999999999 ebabb804 6b04 42035 b8ff a27742ca3fb7\\",\\"properties\\" {\\"alertname\\" \\"network trafficfromunrecommendedip\\",\\"confidencereasons\\" \[],\\"subscriptionid\\" \\"420351213b189 13ff 42fe b370 df6da421bce1\\",\\"entities\\" \[{\\"type\\" \\"azure resource\\",\\"resourceid\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\",\\"$id\\" \\"westus 1\\"},{\\"type\\" \\"host\\",\\"$id\\" \\"westus 2\\",\\"azureid\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\"},{\\"address\\" \\"107 184 36 92\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 32 04583,\\"state\\" \\"jiangsu\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 118 78417,\\"city\\" \\"nanjing\\",\\"asn\\" 23650},\\"$id\\" \\"westus 3\\"},{\\"address\\" \\"92 88 112 115\\",\\"type\\" \\"ip\\",\\"location\\" {\\"latitude\\" 31 17389,\\"state\\" \\"shanghaishi\\",\\"countrycode\\" \\"cn\\",\\"countryname\\" \\"china\\",\\"longitude\\" 121 41498,\\"city\\" \\"xuhuiqu\\",\\"asn\\" 4134},\\"$id\\" \\"westus 4\\"}],\\"workspacearmid\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/defaultresourcegroup cus/providers/microsoft operationalinsights/workspaces/defaultworkspace 420351213b189 13ff 42fe b370 df6da421bce1 cus\\",\\"canbeinvestigated\\"\ true,\\"associatedresource\\" \\"/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\",\\"reportedtimeutc\\" \\"2023 07 01t18 34 03\\",\\"extendedproperties\\" {\\"protocol\\" \\"tcp\\",\\"resourcetype\\" \\"virtualmachine\\",\\"destinationport\\" \\"22\\",\\"investigationsteps\\" \\"1 reviewtheipaddressesanddetermineiftheyshouldbecommunicatingwiththevirtualmachine\\\r\\\n2 enforcethehardeningrulerecommendedbysecuritycenterwhichwillallowaccessonlytorecommendedipaddresses youcanedittherule'spropertiesandchangetheipaddressestobeallowed,oralternativelyeditthenetworksecuritygroup'srulesdirectly\\",\\"sourceip(s)\[#attempts]\\" \\"ip 107 184 36 92\[1]\\\r\\\nip 92 88 112 115\[1]\\"},\\"reportedseverity\\" \\"low\\",\\"state\\" \\"active\\",\\"instanceid\\" \\"ebabb804 6b04 42035 b8ff a27742ca3fb7\\",\\"alertdisplayname\\" \\"trafficdetectedfromipaddressesrecommendedforblocking\\",\\"isincident\\"\ false,\\"actiontaken\\" \\"undefined\\",\\"description\\" \\"azuresecuritycenterdetectedinboundtrafficfromipaddressesthatarerecommendedtobeblocked thistypicallyoccurswhenthisipaddressdoesn'tcommunicateregularlywiththisresource \\\r\\\nalternatively,theipaddresshasbeenflaggedasmaliciousbysecuritycenter'sthreatintelligencesources \\",\\"remediationsteps\\" \\"{\\\\\\"kind\\\\\\" \\\\\\"openblade\\\\\\",\\\\\\"displayvalue\\\\\\" \\\\\\"enforcerule\\\\\\",\\\\\\"extension\\\\\\" \\\\\\"microsoft azure security r3\\\\\\",\\\\\\"detailblade\\\\\\" \\\\\\"adaptivenetworkcontrolsresourceblade\\\\\\",\\\\\\"detailbladeinputs\\\\\\" \\\\\\"protectedresourceid=/subscriptions/420351213b189 13ff 42fe b370 df6da421bce1/resourcegroups/bots/providers/microsoft compute/virtualmachines/splunkhf042035\\\\\\"}\\",\\"compromisedentity\\" \\"splunkhf042035\\",\\"vendorname\\" \\"microsoft\\",\\"detectedtimeutc\\" \\"2023 07 01t18 34 03\\"}}\n", " serial" "2", " si" \[ "splunk813", "main" ], " sourcetype" "azure\ securitycenter\ alert", " time" "2023 07 01 18 34 03 000 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "azure securitycenter alert eventgen", "sourcetype" "azure\ securitycenter\ alert", "splunk server" "splunk813" }, { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962468403", " indextime" "1688236454", " raw" "{\\"insertid\\" \\" vw4eqbddh3o\\",\\"logname\\" \\"projects/gsa project 1510183/logs/cloudaudit googleapis com%2factivity\\",\\"operation\\" {\\"id\\" \\"operation 1594833414679 5aa7e17286b93 080f8d1e e47a162e\\",\\"last\\"\ true,\\"producer\\" \\"compute googleapis com\\"},\\"protopayload\\" {\\"@type\\" \\"type googleapis com/google cloud audit auditlog\\",\\"authenticationinfo\\" {\\"principalemail\\" \\"gsa labs2\@splunk com\\"},\\"methodname\\" \\"beta compute disks insert\\",\\"request\\" {\\"@type\\" \\"type googleapis com/compute disks insert\\"},\\"requestmetadata\\" {\\"callerip\\" \\"2601 204\ c481 85d0 8d7a 8599 34b7 5736\\",\\"callersupplieduseragent\\" \\"mozilla/5 0 (macintosh; intel mac os x 10 14 6) applewebkit/537 36 (khtml, like gecko) chrome/83 0 4103 116 safari/537 36,gzip(gfe)\\"},\\"resourcename\\" \\"projects/gsa project 1510183/zones/<#token region#>/disks/disk4\\",\\"servicename\\" \\"compute googleapis com\\"},\\"receivetimestamp\\" \\"2023 07 01t18 34 03 000000235199z\\",\\"resource\\" {\\"labels\\" {\\"disk id\\" \\"6175893735208027369\\",\\"project id\\" \\"gsa project 1510183\\",\\"zone\\" \\"<#token region#>\\"},\\"type\\" \\"gce disk\\"},\\"severity\\" \\"notice\\",\\"timestamp\\" \\"2023 07 01t18 34 03\\"}\n", " serial" "3", " si" \[ "splunk813", "main" ], " sourcetype" "google\ gcp\ pubsub\ audit", " time" "2023 07 01 18 34 03 000 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "google gcp pubsub audit disks eventgen", "sourcetype" "google\ gcp\ pubsub\ audit", "splunk server" "splunk813" }, { " bkt" "main 347 8a6b8c24 39c2 41d1 a0de 53a1e4936f43", " cd" "347 962465356", " indextime" "1688236453", " raw" "{\\"insertid\\" \\" d16si2dees0\\",\\"logname\\" \\"projects/gsa project 151018/logs/cloudaudit googleapis com%2factivity\\",\\"operation\\" {\\"id\\" \\"operation 1594833240214 5aa7e0cc24c27 6bd67487 52539e26\\",\\"last\\"\ true,\\"producer\\" \\"compute googleapis com\\"},\\"protopayload\\" {\\"@type\\" \\"type googleapis com/google cloud audit auditlog\\",\\"authenticationinfo\\" {\\"principalemail\\" \\"gsa labs2\@splunk com\\"},\\"methodname\\" \\"v1 compute instances start\\",\\"request\\" {\\"@type\\" \\"type googleapis com/compute instances start\\"},\\"requestmetadata\\" {\\"callerip\\" \\"2601 204\ c481 85d0 8d7a 8599 34b7 5736\\",\\"callersupplieduseragent\\" \\"mozilla/5 0 (macintosh; intel mac os x 10 14 6) applewebkit/537 36 (khtml, like gecko) chrome/83 0 4103 116 safari/537 36,gzip(gfe),gzip(gfe)\\"},\\"resourcename\\" \\"projects/gsa project 1510183/zones/<#token region#>/instances/instance4\\",\\"servicename\\" \\"compute googleapis com\\"},\\"receivetimestamp\\" \\"2023 07 01t18 34 03 000000483036z\\",\\"resource\\" {\\"labels\\" {\\"instance id\\" \\"<#token instanceid#>\\",\\"project id\\" \\"gsa project 1510183\\",\\"zone\\" \\"<#token region#>\\"},\\"type\\" \\"gce instance\\"},\\"severity\\" \\"notice\\",\\"timestamp\\" \\"2023 07 01t18 34 03\\"} \n", " serial" "4", " si" \[ "splunk813", "main" ], " sourcetype" "google\ gcp\ pubsub\ audit", " time" "2023 07 01 18 34 03 000 utc", "host" "127 0 0 1", "index" "main", "linecount" "2", "source" "google gcp pubsub audit instances eventgen", "sourcetype" "google\ gcp\ pubsub\ audit", "splunk server" "splunk813" } ], "status code" 200, "response headers" { "date" "mon, 17 jul 2023 20 53 02 gmt", "expires" "thu, 26 oct 1978 00 00 00 gmt", "cache control" "no store, no cache, must revalidate, max age=0", "content type" "application/json; charset=utf 8", "x content type options" "nosniff", "transfer encoding" "chunked", "content encoding" "gzip", "vary" "accept encoding, cookie, authorization", "connection" "keep alive", "x frame options" "sameorigin", "server" "splunkd" }, "reason" "ok" } ] output parameters json body (array) bkt (string) cd (string) indextime (string) raw (string) serial (string) si (array) sourcetype (string) subsecond (string) time (string) host (string) index (string) linecount (string) source (string) sourcetype (string) splunk server (string) status code (number) reason (string) response headers header type date string expires string cache control string content type string x content type options string transfer encoding string content encoding string vary string connection string x frame options string server string

Run Search with Polling

CyberArk Connector