Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Triggering workflow action for use in a report

jlsantini
Explorer
‎12-03-2024 09:19 AM

Hi,

We installed the #AbuseIPDB app in our Splunk cloud instance.  I created a workflow action called jodi_abuse_ipdb using the documentation provided in the app

Label: Check $ip$ with AbuseIPDB
Apply only to: ip
Search string: |makeresults|abuseipdbcheck ip=$ip$

I'd like to be able to use this for a report but I haven't figured out how trigger to call this workflow action to provide results.  I've done Google searches and I've tried a number of things. I am hoping someone in the community might be able to help.

Thank you!

Jodi

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 11:26 AM

Thank you @richgalloway  I appreciate the information.  It looks like I was trying to do something that isn't possible.  I'll review the documentation you sent and look at trying this as a dashboard.

Thanks again!

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:37 AM

My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API.

I want a report that looks like the one I have for blacklisted IPs.

jlsantini_0-1733330185358.png

 

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:18 AM

Here my workflow action:

jlsantini_0-1733329050784.png

 

This is the search I created for my report:

index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb"

I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...