Solved: Can I perform an action in server through Splunk?

Mrig342 · ‎06-02-2022

Hi All,

I want to understand if there is a way to perform an action to the server through Splunk.

For e.g.

to run ls -lrt command for a path
to kill/terminate a process
to run a script on the server etc.

Your kind help will be highly appreciated.

Thank you..!!

PickleRick · ‎06-02-2022

See https://docs.splunk.com/Documentation/Splunk/8.2.6/AdvancedDev/ModAlertsIntro

View solution in original post

PickleRick · ‎06-02-2022

You could write custom alert actions to perform various tasks but in general it's not something that really should be done by splunk. This is more a SOAR (like Phantom) domain, not Splunk Enterprise.

There would be many caveats to avoid/overcome (like handling credentials) so it's not that straightforward to do. But theoretically - yes, you can do "anything" using custom actions. As long as you can script it.

Mrig342 · ‎06-02-2022

Thank you @PickleRick

Can you help me with some splunk documents to go through on this topic to explore.

Your help is much appreciated..!!

PickleRick · ‎06-02-2022

See https://docs.splunk.com/Documentation/Splunk/8.2.6/AdvancedDev/ModAlertsIntro

Can I perform an action in server through Splunk?

configuration

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?