Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Triggering workflow action for use in a report

jlsantini
Explorer
‎12-03-2024 09:19 AM

Hi,

We installed the #AbuseIPDB app in our Splunk cloud instance.  I created a workflow action called jodi_abuse_ipdb using the documentation provided in the app

Label: Check $ip$ with AbuseIPDB
Apply only to: ip
Search string: |makeresults|abuseipdbcheck ip=$ip$

I'd like to be able to use this for a report but I haven't figured out how trigger to call this workflow action to provide results.  I've done Google searches and I've tried a number of things. I am hoping someone in the community might be able to help.

Thank you!

Jodi

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 11:26 AM

Thank you @richgalloway  I appreciate the information.  It looks like I was trying to do something that isn't possible.  I'll review the documentation you sent and look at trying this as a dashboard.

Thanks again!

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:37 AM

My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API.

I want a report that looks like the one I have for blacklisted IPs.

jlsantini_0-1733330185358.png

 

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:18 AM

Here my workflow action:

jlsantini_0-1733329050784.png

 

This is the search I created for my report:

index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb"

I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...