Workflow actions and variables

gargantua · ‎08-16-2023

Hi,

We have a internal wiki with tons of useful informations about hosts and IPs.

I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki.

First issue : Since this workflow action should work with a variety of fields (src_ip, dest_ip, host, src, dest, etc.) : What variable shall I use in order to return in the workflow action the selected value ? Is there a sort of global variable like $the_selected_value$ no matter it's an IP address, a hostname or whatsoever ?

Second issue : I selected my workflow to be applied on any field with a * but the workflow action is just not available anywhere.

Thanks in advance for your kind help on this matter !

Best

gargantua · ‎08-16-2023

I added the workflow action within the web UI of a search head.

We're using Splunk Enterprise and Enterprise Security.
All of our Splunk instances are on version 9

We ingest all type of events : *nix, windows sysmon, web server access logs, firewalls, etc.

The workflow action is now available, but I still don't know what variable to use in my web request.

ITWhisperer · ‎08-16-2023

Where is this workflow defined? Which Splunk product(s) and version(s) are you using? What events do you have ingested into Splunk?

Workflow actions and variables

other

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?