Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Splunk Event Query activity

Splunk Event Query activity

The Splunk Event Query workflow activity searches the Splunk event logs for malicious indicators.

The Splunk Event QueryActivity activity can be used with any workflow to search the Splunk event logs.

Results

Possible results for this activity are:

Table 1. Results
Result Description
Success Splunk
Failure An error occurred while attempting to verify Splunk query. More error information is available in the activity output error.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
user User name for the Splunk system.
password Password for the Splunk system.
observables The list of observables from Trusted Security Circles or the security incident task to search for. Returned in JSON format.
base_url URL of the Splunk integration endpoint.
link_base_url Link to the Splunk web interface, when available.
source Source of the request to run the workflow. Supported inputs are: Trusted Security Circles or security incident task.
max_rows Maximum rows to return from the query. The limit depends on the third-party integration.
days_to_search Days to search from the current day backwards. Default is 7.
query Search syntax. $(observable) is the default.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
output Output of the query in JSON format.

This site is scheduled for a small content update on Monday, November 19th, between the hours of 3:30pm and 5:00pm Pacific Time (Nov 19 23:30 – Nov 20 1:00 UTC). Acces to this site may be slightly delayed during that time.