Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Triggering workflow action for use in a report

jlsantini
Explorer
‎12-03-2024 09:19 AM

Hi,

We installed the #AbuseIPDB app in our Splunk cloud instance.  I created a workflow action called jodi_abuse_ipdb using the documentation provided in the app

Label: Check $ip$ with AbuseIPDB
Apply only to: ip
Search string: |makeresults|abuseipdbcheck ip=$ip$

I'd like to be able to use this for a report but I haven't figured out how trigger to call this workflow action to provide results.  I've done Google searches and I've tried a number of things. I am hoping someone in the community might be able to help.

Thank you!

Jodi

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 11:23 AM

Workflow actions are an interactive feature used in search results to perform something on an event.  See https://dev.splunk.com/enterprise/docs/devtools/customworkflowactions and https://docs.splunk.com/Documentation/Splunk/9.3.2/Knowledge/CreateworkflowactionsinSplunkWeb#Contro... for more information.

That said, workflow actions are not applicable to reports.

If you put the report in a dashboard, then you add a drilldown that uses the same search as your workflow action.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 11:26 AM

Thank you @richgalloway  I appreciate the information.  It looks like I was trying to do something that isn't possible.  I'll review the documentation you sent and look at trying this as a dashboard.

Thanks again!

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:37 AM

My end goal is to be able to use the AbuseIDB  API to look up IP addresses and give back information rather than maintaining spreadsheet lookup table.  I was able to pull the blacklist data from AbuseIPDB as a CSV and my report using the CSV lookup works.  I'm trying to get data on IPs, blacklist or not, leveraging the API.

I want a report that looks like the one I have for blacklisted IPs.

jlsantini_0-1733330185358.png

 

0 Karma
Reply
Solved! Jump to solution

jlsantini
Explorer
‎12-04-2024 08:18 AM

Here my workflow action:

jlsantini_0-1733329050784.png

 

This is the search I created for my report:

index=oht_f5 request_status!="passed" workflow action="jodi_abuse_ipdb"

I get 0 results.  When I take off the workflow action piece, I get 635 results in 15 minutes.

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...