Skip to content

Splunk#

Version: 1.0.1 · Category: SIEM · Plan: Base+

Full Splunk integration covering SPL queries, saved searches, alerts, indexes, and KV store management. Supports Splunk Enterprise (on-premises) and Splunk Cloud (HTTP Event Collector).

Tools#

search_splunk — SPL query#

Execute any SPL (Search Processing Language) query:

Parameter Default Description
query Required SPL query (must start with search)
earliest_time -24h Start of time range
latest_time now End of time range
max_results 100 Maximum results to return

SPL usage examples:

search index=firewall action=blocked src_ip=185.220.101.1 | table _time, src_ip, dest_ip, dest_port

search index=auth EventCode=4625 | stats count by src_ip | sort -count

search index=web status=200 | rex field=_raw "user=(?P<username>\w+)" | table _time, username, uri

list_indexes — Index list#

List all available Splunk indexes, including:

  • Event count
  • Storage size
  • Time range (minTime to maxTime)
  • Event processing rate

list_saved_searches — Saved searches list#

List all saved searches and alert definitions, including:

  • SPL query content
  • Schedule and trigger configuration
  • Application namespace (app context)

get_saved_search — Get saved search detail#

Retrieve the full configuration of a saved search by name.

Run a previously defined saved search by name and return results immediately, without waiting for scheduled execution.

get_search_results — Get async search results#

Retrieve results from a previously submitted search by search_id. Used for polling the results of long-running queries.

list_kv_store_collections — KV store list#

List all KV store collections within a specified app namespace. KV stores are used for Splunk's lookup tables, threat intelligence lists, and allowlists.

query_kv_store — KV store query#

Query KV store data with filter conditions:

Parameter Description
app App name
collection Collection name
query MongoDB-style filter (e.g. {"status": "active"})
limit Maximum number of results

add_kv_store_record — Add KV store record#

Add a new record to a KV store collection. Commonly used for adding entries to an allowlist or threat intelligence list.

Configuration#

Item Description
SPLUNK_URL Splunk API endpoint (e.g. https://splunk.corp.com:8089)
SPLUNK_TOKEN API token or session token (recommended)
SPLUNK_USERNAME / SPLUNK_PASSWORD Alternative: basic authentication
SPLUNK_CLOUD_URL HEC endpoint (Splunk Cloud only, e.g. https://http-inputs-xxx.splunkcloud.com)
SPLUNK_HEC_TOKEN HEC authentication token (Splunk Cloud only)

Investigation workflow#

1. list_indexes
   → Identify which index to search

2. search_splunk
   query:"search index=firewall src_ip=<suspicious IP> | table _time, action, dest_ip"
   earliest_time:"-7d"
   → Find all activity from the target IP in the past week

3. search_splunk
   query:"search index=auth EventCode=4625 | stats count by src_ip | sort -count | head 20"
   → Rank failed login attempts by source IP

4. run_saved_search name:"SOC - Failed Logins Alert"
   → Immediately run a scheduled alert to get the latest results

5. add_kv_store_record app:"threat_intel" collection:"blocked_ips"
   record:{"ip":"185.220.101.1","reason":"C2 node","analyst":"alice"}
   → Add confirmed malicious IP to the threat intelligence KV store