Splunk 101: Workflow Actions

 

Hey, and welcome to the video! My name is Elliot Riegner and I’m here with the Kinney Group to bring you a tutorial on Splunk Workflow Actions.

To get started we’ll learn about different types of workflow actions, how to configure them on Splunk’s graphical interface and going over a few use cases.

In order to implement workflow actions in your Splunk environment, you’ll need to assess which action works best for what you are trying to achieve. Then, you will create a new workflow action and configure it using Splunk’s Web interface, and validate the results

Splunk provides two main workflow actions: GET and POST. Both of these will create HTTP requests in order to either receive field-specific results or push out data.

The GET workflow action allows a user to use a web resource, and then a selected field, or fields to gain results on another website. An example of this workflow action is using a HTTP error code found within an event and googling what the code means.

The POST workflow action allows a user to send data to a remote web server. Examples include filling out online forums and creating tickets based on alerts

The more advanced Search workflow actions launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status field values in your index over a specific time range.

Using the Whois Lookup Website, I want to create a Workflow Action that will search for any chosen IP address found within Splunk events.

Let us take a look at how this works:
Manually typing in any IP will generate a report providing useful information. I now see that the address I searched is Google.
Looking at the URL, I can see that it contains the IP address previously entered. This looks perfect for a GET workflow action.

Let us take a look at some events within Splunk Web. This example will be using Splunk’s tutorial dataset. After increasing my search time range to maximize results and searching within my main index, I see quite a few events with interesting fields. Let’s dive in. Taking a closer look at an event, I can see that the field clientIP could be usable for out GET workflow action. You can view configured Workflow Actions via the Event Actions dropdown.

Next, let’s configure the workflow action.

To get started, on Splunk Web navigate to Settings > Fields > Workflow Actions.

After doing so, we can click Add New to create a new Workflow Action.

Our GET workflow action will take any IP found in an event and send the HTTP request to The WHO_IS Lookup website, so let’s name it accordingly.
A label is needed, which can be dynamically named with the event’s field value by enclosing the field name in dollar signs. We will see what this looks like shortly.

Next, I will be choosing to apply this workflow action to only events that have the ClientIP field.

To configure the Link, Copy the website URL, and field surrounded by dollar signs where it would be located when actually searching an IP.

I will leave the default open in a New Window and lastly select GET as the link method

As you can see, my Workflow action was successfully created. Now, let’s see what it looks like under the Event Actions dropdown

After searching again for events within my main index, and expanding upon one returned, the newly created and dynamically named Workflow Action can be found. The name is dependent upon the ClientIP field of each individual event. After clicking, the Workflow Action is executed within a new window, and information regarding the IP address is found

Thank you for joining me in today’s video, I hope you enjoyed yourself and learned something new about workflow actions!

Meet our Expert Team

Be on the lookout for more Splunk tutorials! My team, the Tech Ops team, runs our Expertise on Demand service, which I’ll touch on a little more below. Our EOD team is responsible for knowing everything and anything around Splunk best practice… that’s why you’ll get access to a ton of video and written content from our team. EOD is designed to answer your team’s daily questions and breakthrough stubborn roadblocks.  Let us know below how we can help.

Start typing and press Enter to search