Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data.splunk_search plugin #54

Closed
traut opened this issue Jan 26, 2024 · 0 comments
Closed

data.splunk_search plugin #54

traut opened this issue Jan 26, 2024 · 0 comments
Milestone
v0.3

Comments

@traut
Copy link
Member

traut commented Jan 26, 2024
edited
Loading

Background

Splunk is a leader in SIEM market and is widely used in the industry.

  • Splunk Cloud Platform is a cloud solution by Splunk.
  • Splunk Enterprise is an on-prem solution by Splunk.

The APIs for both solutions are similar, but Splunk Cloud Platform requires additional access controls. This issue describes the plugin that works with Splunk Enterprise API.

Features

The plugin should be able to send a search request to the API and return the data.

Specification

  • configuration:
    • auth_token -- a string with a Splunk authentication token
    • host -- (optional) a string with a hostname for a Splunk instance
    • deployment_name -- (optional) a string with a deployment name for Splunk Cloud instance.
  • interface:
    • search_query -- (required) string attribute that contains a Splunk query
    • max_count -- (optional) an int, limits the number of events returned by search
    • status_buckets -- (optional) an int value, indicates the most status buckets to generate
    • rf -- (optional) a list of strings, defines additional fields to be returned
    • earliest_time -- (optional) a string value
    • latest_time -- (optional) a string value

Other non-configurable parameters for API calls:

  • for search/jobs endpoint
    • id for should be set to fabric_<randomized-string>
    • exec_mode should be set to blocking
  • for search/jobs/<sid>/results endpoint - output_mode should be set to json

For the exact format of the parameters, see POST request parameters for search/jobs endpoint here.

If host is provided, the base URL is https://<host>:8089/
If deployment_name is provided, the base URL is https://<deployment-name>.splunkcloud.com:8089/

This plugin should be a part of splunk plugin package.

Usage example

  • auth_token is used it as a basic auth token (docs)
  • search_query value is submitted via HTTP POST to /services/search/jobs endpoint with all set parameters.
  • the results are fetched from /services/search/v2/jobs/<sid>/results and returned

Additional context
@traut traut added the plugins label Jan 26, 2024
@traut traut added this to the v0.3 milestone Jan 26, 2024
@dobarx dobarx mentioned this issue Feb 20, 2024
Merged
5 tasks
@traut traut closed this as completed Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.3
Development

No branches or pull requests
1 participant
@traut