Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Triggering workflow action for use in a report

jlsantini
Explorer
‎12-03-2024 09:19 AM

Hi,

We installed the #AbuseIPDB app in our Splunk cloud instance.  I created a workflow action called jodi_abuse_ipdb using the documentation provided in the app

Label: Check $ip$ with AbuseIPDB
Apply only to: ip
Search string: |makeresults|abuseipdbcheck ip=$ip$

I'd like to be able to use this for a report but I haven't figured out how trigger to call this workflow action to provide results.  I've done Google searches and I've tried a number of things. I am hoping someone in the community might be able to help.

Thank you!

Jodi

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 11:26 AM

Thank you @richgalloway  I appreciate the information.  It looks like I was trying to do something that isn't possible.  I'll review the documentation you sent and look at trying this as a dashboard.

Thanks again!

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:37 AM

My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API.

I want a report that looks like the one I have for blacklisted IPs.

jlsantini_0-1733330185358.png

 

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:18 AM

Here my workflow action:

jlsantini_0-1733329050784.png

 

This is the search I created for my report:

index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb"

I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
li.common.scroll-to.top