Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Set up a GET workflow action

GET link workflow actions drop one or more values into an HTML link. Clicking that link performs an HTTP GET request in a browser, allowing you to pass information to an external web resource, such as a search engine or IP lookup service.

Note: During transmission, variables passed in URIs for GET actions are URL encoded. This means you can include values that have spaces between words or punctuation characters. However, if you are working with a field that has an HTTP address as its value, and you want to pass the entire field value as a URI, you should use the $! prefix to keep Splunk software from escaping the field value. See "Use the $! prefix to prevent escape of URL or HTTP form field values" below for more information.

Define a GET workflow action

Steps

  1. Navigate to Settings > Fields > Workflow Actions.
  2. Click New to open up a new workflow action form.
  3. Define a Label for the action.
    The Label field enables you to define the text that is displayed in either the field or event workflow menu. Labels can be static or include the value of relevant fields.
  4. Determine whether the workflow action applies to specific fields or event types in your data.
    Use Apply only to the following fields to identify one or more fields. When you identify fields, the workflow action only appears for events that have those fields, either in their event menu or field menus. If you leave it blank or enter an asterisk the action appears in menus for all fields.
    Use Apply only to the following event types to identify one or more event types. If you identify an event type, the workflow action only appears in the event menus for events that belong to the event type.
  5. For Show action in determine whether you want the action to appear in the Event menu, the Fields menus, or Both.
  6. Set Action type to link.
  7. In URI provide a URI for the location of the external resource that you want to send your field values to.
    Similar to the Label setting, when you declare the value of a field, you use the name of the field enclosed by dollar signs.
    Variables passed in GET actions via URIs are automatically URL encoded during transmission. This means you can include values that have spaces between words or punctuation characters.
  8. Under Open link in, determine whether the workflow action displays in the current window or if it opens the link in a new window.
  9. Set the Link method to get.
  10. Click Save to save your workflow action definition.

Example - Google search from field values

Here's an example of the setup for a GET link workflow action that sets off a Google search on values of the topic field in search results:

GET workflow action ex1 b.png

In this example, we set the Label value to Google $topic$ because we have a field called topic in our events and we want the value of topic to be included in the label for this workflow action. For example, if the value for topic in an event is CreatefieldactionsinSplunkWeb the field action displays as Google CreatefieldactionsinSplunkWeb in the topic field menu.

The Google $topic$ action applies to all events.

The Google $topic$ action URI uses the GET method to submit the topic value to Google for a search.

Example - Provide an external IP lookup

You have configured your Splunk app to extract domain names in web services logs and specify them as a field named domain. You want to be able to search an external WHOIS database for more information about the domains that appear.

Here's how you would set up the GET workflow action that helps you with this.

In the Workflow actions details page, set Action type to link and set Link method to get.

You then use the Label and URI fields to identify the field involved. Set a Label value of WHOIS: $domain$. Set a URI value of http://whois.net/whois/$domain$.

After that, you can determine:

  • whether the link shows up in the field menu, the event menu, or both.
  • whether the link opens the WHOIS search in the same window or a new one.
  • restrictions for the events that display the workflow action link. You can target the workflow action to events that have specific fields, that belong to specific event types, or some combination of the two.

Use the $! prefix to prevent escape of URL or HTTP form field values

When you define fields for workflow actions, you can escape these fields so that they can be passed safely to an external endpoint using HTTP. However, in certain cases this escaping is undesirable. In these cases, use the $! prefix to prevent the field value from being escaped. This prefix prevents URL escape for GET workflow actions and HTTP form escape for POST workflow actions.

Example - Passing an HTTP address to a separate browser window

You have a GET workflow action that works with a field named http. The http field has fully formed HTTP addresses as values. This workflow action opens a new browser window that points at the HTTP address value of the http field. The workflow action does not work if it opens the new window with an escaped HTTP address.

To prevent the HTTP address from escaping, use the $! prefix. In Settings, where you might normally set URI to $http$ for this workflow action, instead set it to $!http$.

Last modified on 14 July, 2023
About workflow actions in Splunk Web   Set up a POST workflow action

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.7, 8.0.10, 7.0.1, 8.0.6, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 8.0.8, 8.0.9, 8.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters