Package Documentation

Storm Package: synapse-splunk

The following Commands are available from this package. This documentation is generated for version 0.3.1 of the package.

Storm Commands

This package implements the following Storm Commands.

splunk.search

Retrieve Splunk results and create it:log:event nodes.

"search " is automatically prepended to the query if it does not exist,
or the query does not start with another generating command.

If the "log_level" or "level" field exists it will be used to set it:log:event:severity.

Indicators are automatically scraped from the "_raw" field,
and linked back to the it:log:event node with a -(refs)> light edge.
This behavior can be disabled with the --skip-scrape option.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Execute a query and view the results without creating nodes
  splunk.search foobar --dryrun

  // Execute a query and create it:log:event nodes
  splunk.search foobar --yield

  // Specify min and max times
  splunk.search foobar --min-time "2022-09-10" --max-time "2022-09-12" --dryrun

  // Do not scrape indicators from the _raw field
  splunk.search foobar --yield --skip-scrape


Usage: splunk.search [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --dryrun                    : Print out log entries but do not construct nodes.
  --min-time <min_time>       : Specify the minimum time to limit log search queries (default: -24 hours)
  --max-time <max_time>       : Specify the maximum time to limit log search queries (default: now)
  --yield                     : Yield the newly created nodes.
  --skip-scrape               : Skip scraping indicators from the _raw field.

Arguments:

  <query>                     : The Splunk Processing Lanugage search string.

splunk.setup.apikey

Manage the Splunk API key.

Examples

    // Set a global Splunk API key
    splunk.setup.apikey abcd1234

    // Set a Splunk API key for the current user
    splunk.setup.apikey --self abcd1234

    // Display the API key scope of the current key
    splunk.setup.apikey --show-scope

    // Display the current API key.
    splunk.setup.apikey --show-apikey

    // Remove the current global API key.
    splunk.setup.apikey --remove

    // Remove the per-user API key for the current user.
    splunk.setup.apikey --self --remove


Usage: splunk.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the key as a user variable. If not used, the key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

splunk.setup.domain

Set the domain name to use when making Splunk HTTP API requests.


Usage: splunk.setup.domain [options] <domain>

Options:

  --help                      : Display the command usage.
  --port <port>               : The port to use with the Splunk domain. (default: 8089)
  --insecure                  : Do not perform SSL/TLS verification.
  --noproxy                   : Disable proxy use.
  --self                      : Set the domain as a user variable. If not used, the domain is set globally.

Arguments:

  <domain>                    : The Splunk domain such as "mydeployment.splunkcloud.com".

Storm Modules

This package does not export any Storm APIs.