• Tools
Tools
  • Tools
loading...
No Results
  • ActiveCampaign
  • Asana
  • AWS-S3
  • AWS Lambda
  • Appstore
  • BambooHR
  • Bitbucket
  • Brevo
  • Coda
  • Code
  • ConvertKit
  • CSV
  • Crypto
  • Clockify
  • Data Shaping
  • Date & Time
  • Delay
  • DingTalk
  • Discourse
  • Discord
  • Dropbox
  • Elastic Security
  • FeiShu
  • Freshdesk
  • Freshservice
  • Freshworks CRM
  • Gerrit
  • Gitlab
  • Github
  • Grafana
  • Google Ads
  • Google Docs
  • Google Drive
  • Google Gmail
  • Google Sheets
  • Google Analytics
  • Google Calendar
  • Google Developer
  • Harvest
  • HaloPSA
  • Hacker News
  • Hubspot
  • Help Scout
  • Intercom
  • Jira
  • Jenkins
  • Kafka
  • Lemlist
  • MySQL
  • Monday
  • Metabase
  • MailChimp
  • Microsoft Excel
  • Microsoft Outlook
  • Notion
  • Nextcloud
  • Odoo
  • Ortto
  • Okta
  • PayPal
  • Paddle
  • Pipedrive
  • PostHog
  • PostgreSQL
  • Qdrant
  • QRCode
  • QuickBooks
  • Redis
  • Stripe
  • Splunk
  • Shopify
  • Segment
  • ServiceNow
  • Search&Crawl
  • Text
  • Trello
  • Twilio
  • Todoist
  • Wikipedia
  • WordPress
  • WooCommerce
  • Xml
  • YouTube
  • Zulip
  • Zoom
  • Zendesk
  • Zammad
Home > Tools

Splunk

1. Overview

Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated data from various sources in real-time. It enables organizations to gain operational intelligence and insights from their data for security, IT operations, and business analytics.

The GoInsight Splunk node allows you to integrate Splunk's data processing and management capabilities directly into your automated workflows. You can perform a wide range of administrative and data-related tasks, including:

  • Search Management: Create, retrieve, and delete search jobs to query your data programmatically.
  • User and Role Administration: Automate the creation, deletion, and management of users and roles within your Splunk instance.
  • Reporting: Manage saved search reports, allowing you to create, update, retrieve, and delete them as part of a larger process.
  • Data Retrieval: Fetch fired alerts, metrics, and the results of specific search jobs to use in subsequent workflow steps.

2. Prerequisites

Before using this node, you must have a valid Splunk account (either Splunk Cloud Platform or Splunk Enterprise). You will also need the appropriate permissions to generate an API token for authentication.

3. Credentials

For a detailed guide on how to obtain and configure your credentials, please refer to our official documentation: Credentials Configuration Guide.

4. Supported Operations

Summary

This node provides comprehensive operations for managing key Splunk resources such as Search Jobs, Search Reports, Users, and Roles. The table below summarizes the available actions.

Resource Operation Description
Alert Get Fired Alerts Gets a fired alerts report from Splunk Cloud Platform using API token authentication.
Metric Get Many Metrics Gets many metrics from Splunk Cloud Platform using API token authentication.
Role Create a Role Creates a user role in Splunk Cloud Platform using API token authentication.
Role Delete a Role Deletes a specific role from Splunk Cloud Platform using API token authentication.
Role Get Many Roles Gets details of all roles and their permissions from Splunk Cloud Platform using API token authentication.
Role Get a Role Gets details of a specific role from Splunk Cloud Platform using API token authentication.
Role Update a Role Updates a user role in Splunk Cloud Platform using API token authentication.
Search Job Create Search Job Creates a search job in Splunk Cloud Platform using API token authentication.
Search Job Delete Search Job Deletes a specific search job by its SID from Splunk Cloud Platform using API token authentication.
Search Job Get Search Job Gets information about a specific search job by its SID from Splunk Cloud Platform using API token authentication.
Search Job Get Search Job Results Gets the results of a specific search job by its SID from Splunk Cloud Platform using API token authentication.
Search Job Get Search Jobs Gets details of all current searches from Splunk Cloud Platform using API token authentication.
Search Report Create Search Report Creates a saved search in Splunk Cloud Platform using API token authentication.
Search Report Delete Search Report Deletes a named saved search from Splunk Cloud Platform using API token authentication.
Search Report Get Search Report Gets a search configuration from Splunk Cloud Platform using API token authentication.
Search Report Get Search Reports Gets many search configurations from Splunk Cloud Platform using API token authentication.
Search Report Update Search Report Updates a named saved search in Splunk Cloud Platform using API token authentication.
User Create a User Creates a user in Splunk Cloud Platform using API token authentication. When creating a user you must specify at least one role.
User Delete a User Deletes a specific user from Splunk Cloud Platform using API token authentication.
User Get Many Users Gets details of all users from Splunk Cloud Platform using API token authentication.
User Get a User Gets details of a specific user from Splunk Cloud Platform using API token authentication.
User Update a User Updates a user in Splunk Cloud Platform using API token authentication.

Operation Details

Create Search Job

Creates a search job in Splunk Cloud Platform using API token authentication.

Input Parameters:

  • SearchQuery: The search language string to execute, taking results from the local and remote servers.(e.g. "search *", "search * | outputcsv") )
  • LatestTime: Specifies the latest time for the search job. The value can be in various formats, such as relative time (e.g., "now" for the current time), absolute time (e.g., "2023-01-01T01:00:00"), or epoch time (e.g., "1672617600"). Defaults to "now".

Options:

  • Query: Additional parameters for the search job.

Output:

  • Job (object): Created job information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Create Search Report

Creates a saved search in Splunk Cloud Platform using API token authentication.

Input Parameters:

  • SearchName: Name of the saved search to create.
  • SearchQuery: The search query string.

Options:

  • Query: Additional parameters for the saved search. Defaults to {}.

Output:

  • Report (object): Created search report information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Create a Role

Creates a user role in Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Rolename: Name of the role to create.

Options:

  • Query: Additional parameters for the role. Defaults to {}. Includes fields:defaultApp, srchDiskQuota,srchJobsQuota,rtSrchJobsQuota,srchJobsQuota,imported_roles,capabilities.

Output:

  • Role (object): Created role information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Create a User

Creates a user in Splunk Cloud Platform using API token authentication. When creating a user you must specify at least one role.

Input Parameters:

  • Username: Name of the user to create.
  • Password: User login password.Must be at least 8 printable characters long.
  • Roles: Role to assign to this user. To assign multiple roles, pass in each role using a separate roles parameter value.

Options:

  • Query: Additional parameters for the user.

Output:

  • User (object): Created user information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Delete Search Job

Deletes a specific search job by its SID from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Sid: The search ID (SID) of the search job to delete.

Output:

  • Success (bool): Indicates whether the deletion was successful.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Delete Search Report

Deletes a named saved search from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • SearchName: Name of the saved search to delete.

Output:

  • Success (bool): True if the operation was successful, False otherwise.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Delete a Role

Deletes a specific role from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Rolename: The name of the role to delete.

Output:

  • Success (bool): Indicates whether the deletion was successful.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Delete a User

Deletes a specific user from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Username: The name of the user to delete.

Output:

  • Success (bool): Indicates whether the deletion was successful.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Fired Alerts

Gets a fired alerts report from Splunk Cloud Platform using API token authentication.

Options:

  • Query: Query parameters for the request.

Output:

  • Alerts (object-array): Fired alerts report data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Many Metrics

Gets many metrics from Splunk Cloud Platform using API token authentication.

Options:

  • Earliest: A time string that specifies the earliest time for this search. Can be a relative or absolute time. Defaults to "-1d".
  • Latest: A time string that specifies the latest time for this search. Can be a relative or absolute time. Defaults to "now".
  • FilterCondition: A URL-encoded set of one or more key-value pairs, where keys correspond to metric fields such as index or dimension. Defaults to "".
  • ListIndexes: If True, list all indexes available. Defaults to False.

Output:

  • Metrics (object-array): Array of metric data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Many Roles

Gets details of all roles and their permissions from Splunk Cloud Platform using API token authentication.

Options:

  • Query: Query parameters for the roles. Defaults to {}.

Output:

  • Rols (object-array): Array of role data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Many Users

Gets details of all users from Splunk Cloud Platform using API token authentication.

Options:

  • Query: Query parameters for the users. Defaults to {}.

Output:

  • Users (object-array): Array of user data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Search Job

Gets information about a specific search job by its SID from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Sid: The search ID (SID) of the search job to retrieve.

Output:

  • Job (object): Job data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Search Job Results

Gets the results of a specific search job by its SID from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Sid: The search ID (SID) of the search job to retrieve results for.

Options:

  • Query: Query parameters for the search job results. Defaults to {}.

Output:

  • Results (object): Dictionary of result data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Search Jobs

Gets details of all current searches from Splunk Cloud Platform using API token authentication.

Options:

  • Query: Query parameters for the search jobs. Defaults to {}.

Output:

  • Jobs (object-array): Array of job data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Search Report

Gets a search configuration from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • SearchName: Name of the search configuration to retrieve.

Options:

  • Query: Query parameters for the search configuration. Defaults to {}.

Output:

  • Report (object): Configuration data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get Search Reports

Gets many search configurations from Splunk Cloud Platform using API token authentication.

Options:

  • Query: Query parameters for the search configurations. Defaults to {}.

Output:

  • Reports (object-array): Array of configuration data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get a Role

Gets details of a specific role from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Rolename: Name of the role to retrieve.

Output:

  • Role (object): Role data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Get a User

Gets details of a specific user from Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Username: Name of the user to retrieve.

Output:

  • User (object): User data retrieved from Splunk Cloud Platform.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Update Search Report

Updates a named saved search in Splunk Cloud Platform using API token authentication.

Input Parameters:

  • SearchName: Name of the saved search to update.
  • SearchQuery: The search query string.

Options:

  • Query: Additional parameters for the saved search. Defaults to {}.

Output:

  • Report (object): Updated search report information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Update a Role

Updates a user role in Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Rolename: Name of the role to update.

Options:

  • Query: Fields to update for the role. Defaults to {}.

Output:

  • Role (object): Updated role information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

Update a User

Updates a user in Splunk Cloud Platform using API token authentication.

Input Parameters:

  • Username: Name of the user to update.

Options:

  • Query: Fields to update for the user. Defaults to {}.

Output:

  • User (object): Updated user information.
  • StatusCode (number): HTTP status code or operation status code (-1 for parameter error, 500 for exceptions).
  • ErrorMessage (string): Error message description, returns empty string on success.

5. Example Usage

This section will guide you through creating a simple workflow to execute a search query in Splunk.

The workflow will consist of: Start -> Splunk: Create Search Job -> Answer.

Step 1: Add the Tool Node

  1. In the workflow canvas, click the + button to add a new node.
  2. Select the "Tool" tab in the pop-up panel.
  3. Find and select "Splunk" from the list of tools.
  4. From the list of supported operations for Splunk, click on "Create Search Job" to add the node to your canvas.

Step 2: Configure the Node

  1. Click on the newly added "Create Search Job" node to open its configuration panel on the right.
  2. Credentials: Find the credentials field at the top. Click the dropdown menu and select your pre-configured Splunk credential.
  3. Parameters: Fill in the required input parameters for the operation.
    • SearchQuery: Enter the Splunk Processing Language (SPL) query you want to execute. For example, to find the first 10 events from all indexes, you could enter search * | head 10.
    • LatestTime: Specify the upper bound of the time window for the search. You can use a relative time like now to indicate the current time.

Step 3: Run and Validate

  1. Once all required parameters are correctly filled, any error indicators on the node will disappear.
  2. Click the "Run" button in the top-right corner of the canvas to execute the workflow.
  3. After a successful run, you can click the log icon in the top-right corner to view the detailed inputs and outputs of the node, verifying that the search job was created successfully. The output will contain the Search ID (SID) of the newly created job.

After completing these steps, your workflow is fully configured. When executed, it will create a new search job in your Splunk instance based on your query.

6. FAQs

Q: I'm getting a 401 Unauthorized error. What should I do?

A: This error typically indicates an issue with your credentials. Please check the following:

  • Ensure your API token is correct and has not expired.
  • Verify that the token has the necessary permissions to perform the requested operation.
  • Confirm that the Splunk host/URL in your credential configuration is accurate.

Q: How do I format the LatestTime or Earliest time parameters?

A: Splunk accepts several time formats. Here are the most common ones:

  • Relative Time: Use strings like now, -1h (one hour ago), -2d (two days ago).
  • Absolute Time: Use a specific timestamp, for example, 2023-10-27T10:00:00.
  • Epoch Time: Provide the time as a Unix epoch value, such as 1698397200.

Q: My search job is created but returns no results. Why?

A: There could be several reasons for this:

  • Incorrect Time Window: The time range specified by Earliest and LatestTime might not contain any data that matches your query. Try expanding the time window.
  • Invalid SPL: Double-check the syntax of your SearchQuery. Even a small typo can cause the search to fail or return no results.
  • Permissions: The user associated with your API token may not have permission to search the indexes you are targeting.

7. Official Documentation

For more in-depth information about the Splunk REST API, please refer to the Splunk Official API Documentation.

Updated on: Dec 12, 2025
Was This Page Helpful?
Prev Stripe
Next Shopify
Discussion

Leave a Reply. Cancel reply

Your email address will not be published. Required fields are marked*

Product-related questions?Contact Our Support Team to Get a Quick Solution>
On this page
  • 1. Overview
  • 2. Prerequisites
  • 3. Credentials
  • 4. Supported Operations
    • Summary
    • Operation Details
  • 5. Example Usage
    • Step 1: Add the Tool Node
    • Step 2: Configure the Node
    • Step 3: Run and Validate
  • 6. FAQs
  • 7. Official Documentation
loading...
No Results