User Guide
Synapse-Splunk User Guide
Synapse-Splunk adds new Storm commands to allow you to query the Splunk API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> splunk.setup.apikey --self myapikey
Setting Splunk API key for the current user.
Query Splunk log events and ingest the results
Results can first be viewed without creating any nodes by using the --dryrun
option.
> splunk.search --dryrun 'index="_internal" log_level="ERROR" | head 2'
WARNING: Setting the HTTP proxy argument to $lib.null is deprecated. Use $lib.true instead.
{'_bkt': 'test~0~C61E9364-9D2D-42B7-AA95-213229664105',
'_cd': '0:154',
'_indextime': '1664496211',
'_kv': '1',
'_raw': '09-30-2022 00:03:31.526 +0000 WARN SearchMessages - '
'orig_component="SearchStatusEnforcer" app="search" '
'sid="rt_md_1664496118.586" message_key="" message=Search '
'cancellation requested.',
'_serial': '0',
'_si': ('737ef4afe3c4', 'test'),
'_sourcetype': 'logs',
'_subsecond': '.526',
'_time': '2022-09-30T00:03:31.526+00:00',
'host': '737ef4afe3c4',
'log_level': 'WARN',
'message': 'Search cancellation requested.'}
{'_bkt': 'test~0~C61E9364-9D2D-42B7-AA95-213229664105',
'_cd': '0:147',
'_indextime': '1664496035',
'_kv': '1',
'_raw': '09-29-2022 23:29:01.532 +0000 ERROR SearchMessages - '
'orig_component="SearchStatusEnforcer" app="search" '
'sid="1664494056.516" message_key="" message=Search auto-canceled',
'_serial': '1',
'_si': ('737ef4afe3c4', 'test'),
'_sourcetype': 'logs',
'_subsecond': '.532',
'_time': '2022-09-29T23:29:01.532+00:00',
'host': '737ef4afe3c4',
'log_level': 'ERROR',
'message': 'Search auto-canceled'}
Running the command without --dryrun
will create it:log:event
nodes,
and also scrape any indicators from the _raw
field.
> splunk.search --yield 'index="_internal" log_level="ERROR" | head 2'
WARNING: Setting the HTTP proxy argument to $lib.null is deprecated. Use $lib.true instead.
it:log:event=958b9f192509c9cbc5eb0e50abceb59b
.created = 2024/12/20 18:15:16.584
:data = {'host': '737ef4afe3c4', 'message': 'Search cancellation requested.', 'log_level': 'WARN', '_bkt': 'test~0~C61E9364-9D2D-42B7-AA95-213229664105', '_cd': '0:154', '_indextime': '1664496211', '_kv': '1', '_raw': '09-30-2022 00:03:31.526 +0000 WARN SearchMessages - orig_component="SearchStatusEnforcer" app="search" sid="rt_md_1664496118.586" message_key="" message=Search cancellation requested.', '_serial': '0', '_si': ('737ef4afe3c4', 'test'), '_sourcetype': 'logs', '_subsecond': '.526', '_time': '2022-09-30T00:03:31.526+00:00'}
:host = 08dce7b3677fac21660e01c9fdc54e43
:mesg = 09-30-2022 00:03:31.526 +0000 WARN SearchMessages - orig_component="SearchStatusEnforcer" app="search" sid="rt_md_1664496118.586" message_key="" message=Search cancellation requested.
:severity = warning
:time = 2022/09/30 00:03:31.526
it:log:event=cc89a74e03c0ba5c9eee6bd45ae4b6ec
.created = 2024/12/20 18:15:16.692
:data = {'host': '737ef4afe3c4', 'message': 'Search auto-canceled', 'log_level': 'ERROR', '_bkt': 'test~0~C61E9364-9D2D-42B7-AA95-213229664105', '_cd': '0:147', '_indextime': '1664496035', '_kv': '1', '_raw': '09-29-2022 23:29:01.532 +0000 ERROR SearchMessages - orig_component="SearchStatusEnforcer" app="search" sid="1664494056.516" message_key="" message=Search auto-canceled', '_serial': '1', '_si': ('737ef4afe3c4', 'test'), '_sourcetype': 'logs', '_subsecond': '.532', '_time': '2022-09-29T23:29:01.532+00:00'}
:host = 08dce7b3677fac21660e01c9fdc54e43
:mesg = 09-29-2022 23:29:01.532 +0000 ERROR SearchMessages - orig_component="SearchStatusEnforcer" app="search" sid="1664494056.516" message_key="" message=Search auto-canceled
:severity = err
:time = 2022/09/29 23:29:01.532
Use the Storm API to create a custom ingest
$splunk = $lib.import(splunk)
$query = '| from inputlookup:"geo_attr_countries" | search country=Domin*'
for $item in $splunk.search(query=$query) {
[ geo:name=$item.country ]
}
WARNING: Setting the HTTP proxy argument to $lib.null is deprecated. Use $lib.true instead.
geo:name=dominica
.created = 2024/12/20 18:15:17.024
geo:name=dominican republic
.created = 2024/12/20 18:15:17.031
Use of meta:source
nodes
Synapse-Splunk uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the Splunk API.
> meta:source=3918e28ef98e21b7d5ed6791ee9f3394
meta:source=3918e28ef98e21b7d5ed6791ee9f3394
.created = 2024/12/20 18:15:16.394
:name = splunk api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Splunk. The following example shows how to filter the results of a query to include only results observed by Synapse-Splunk:
> it:log:event:severity=err +{ <(seen)- meta:source=3918e28ef98e21b7d5ed6791ee9f3394 }
it:log:event=cc89a74e03c0ba5c9eee6bd45ae4b6ec
.created = 2024/12/20 18:15:16.692
:data = {'host': '737ef4afe3c4', 'message': 'Search auto-canceled', 'log_level': 'ERROR', '_bkt': 'test~0~C61E9364-9D2D-42B7-AA95-213229664105', '_cd': '0:147', '_indextime': '1664496035', '_kv': '1', '_raw': '09-29-2022 23:29:01.532 +0000 ERROR SearchMessages - orig_component="SearchStatusEnforcer" app="search" sid="1664494056.516" message_key="" message=Search auto-canceled', '_serial': '1', '_si': ('737ef4afe3c4', 'test'), '_sourcetype': 'logs', '_subsecond': '.532', '_time': '2022-09-29T23:29:01.532+00:00'}
:host = 08dce7b3677fac21660e01c9fdc54e43
:mesg = 09-29-2022 23:29:01.532 +0000 ERROR SearchMessages - orig_component="SearchStatusEnforcer" app="search" sid="1664494056.516" message_key="" message=Search auto-canceled
:severity = err
:time = 2022/09/29 23:29:01.532