Splunk event actions

When reviewing Splunk logs, you can rapidly create security events and security incidents from any item in the log using the Event Actions.

Clicking either of these actions creates a manual search command populated with the data in the log entry, and run it to generate the new record.

Figure 1. Event actions
Event actions example

These actions are easily configured to add fields in your normalized data. Within Splunk, using Settings > Fields > Workflow Actions, you can select and edit either of these actions using the manual search fields in the example.

Figure 2. Workflow actions
Workflow actions

You can choose where the action is shown, for what fields, and modify the search string that contains a search command to create your record.

Figure 3. Create ServiceNow security event
Create a security event