Add fields to collection
Action ID:tools.splunk.add_kv_fields
Add field definitions to a KV Store collection in Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection to add fields to. Must be unique and
contain only alphanumeric characters, underscores, and hyphens.
List of field definitions to add. Each field requires name and type.
Supported types: array, number, bool, string, cidr, time
Example: [{“name”: “username”, “type”: “string”}, {“name”: “age”, “type”: “number”}]
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Batch save KV entries
Action ID:tools.splunk.batch_save_kv_entries
Insert or update multiple entries in a Splunk KV Store collection in a single request. If an entry includes a _key that matches an existing document, it is updated; otherwise a new document is created. Processing stops on the first failure.
Reference: https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection to save entries into.
List of documents to save. Each document is a dict of field-value pairs.
Include a _key field to update an existing document; omit it to create a new one
(Splunk auto-generates the key). Maximum 1000 documents per request (Splunk default).
Example: [{“username”: “john”, “email”: “john@example.com”, “active”: true}, {“username”: “jane”, “email”: “jane@example.com”, “active”: false}]
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Create KV collection
Action ID:tools.splunk.create_kv_collection
Create a new KV Store collection in Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection. Must be unique and contain only
alphanumeric characters, underscores, and hyphens.
Splunk app context where the collection will be created (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Create KV entry
Action ID:tools.splunk.create_kv_entry
Create a new entry in a Splunk KV Store collection.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection where the entry will be created.
Key-value pairs to store in the collection. The _key field is automatically
generated by Splunk if not provided.
Example: {“username”: “john”, “email”: “john@example.com”, “active”: true}
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Delete KV collection
Action ID:tools.splunk.delete_kv_collection
Delete a KV Store collection from Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection to delete.
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Delete KV entry
Action ID:tools.splunk.delete_kv_entry
Delete an entry from a KV Store collection in Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection containing the entry.
The _key value of the entry to delete from the collection.
Example: “5f3a1b2c3d4e5f6a7b8c9d0e”
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Discover fields
Action ID:tools.splunk.discover_fields
Discover fields in Splunk data using the fieldsummary command with statistics and sample values.
Reference: https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/Fieldsummary
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
End time for the search.
Start time for the search.
Adhoc search level.Default:
"fast".Splunk base URL (e.g. https://localhost:8089).Default:
null.Index to search for fields. Use * for all indexes.Default:
"*".Maximum number of fields to return.Default:
100.Maximum number of sample values to return per field.Default:
5.Whether to verify SSL certificates.Default:
true.Get KV collection
Action ID:tools.splunk.get_kv_collection
Get configuration details for a specific KV Store collection from Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection to retrieve.
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Get KV entry
Action ID:tools.splunk.get_kv_entry
Get a specific entry from a KV Store collection in Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection containing the entry.
The _key value of the entry to retrieve from the collection.
Example: “5f3a1b2c3d4e5f6a7b8c9d0e”
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.List data models
Action ID:tools.splunk.list_data_models
List all data models on the Splunk server using native Splunk search.
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Adhoc search level.Default:
"fast".Splunk base URL (e.g. https://localhost:8089).Default:
null.Whether to verify SSL certificates.Default:
true.List field extractions
Action ID:tools.splunk.list_field_extractions
List all configured field extraction rules using a simple Splunk query.
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Adhoc search level.Default:
"fast".Splunk base URL (e.g. https://localhost:8089).Default:
null.Whether to verify SSL certificates.Default:
true.List indexes
Action ID:tools.splunk.list_indexes
List all indexes on the Splunk server using native Splunk search.
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Adhoc search level.Default:
"fast".Splunk base URL (e.g. https://localhost:8089).Default:
null.Whether to verify SSL certificates.Default:
true.List KV collections
Action ID:tools.splunk.list_kv_collections
List all KV Store collections in Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Splunk app context to list collections from (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Maximum number of collections to return.Default:
100.Number of collections to skip for pagination.Default:
0.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Search query to filter collections.
Example: “name=whitelist” to find collections with “whitelist” in the name.Default:
"".Field to sort results by.Default:
"_key".How to sort values (“auto”, “num”, “alpha_case”, or “alpha”).Default:
"auto".Sort order (“asc” or “desc”).Default:
"asc".Return summarized response with fewer details for faster response.Default:
false.Whether to verify SSL certificates.Default:
true.List KV entries
Action ID:tools.splunk.list_kv_entries
List entries in a KV Store collection from Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection to list entries from.
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Maximum number of entries to return.Default:
100.Number of entries to skip for pagination.Default:
0.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".MongoDB-style query to filter entries.
Supported operators:
- Conditional: gte, lte, $ne
- Regex: $regex
- Logical: or, $not Examples:
- {“title”: “Item”} - Find entries where title equals “Item”
- {“price”: {“$gt”: 5}} - Find entries where price > 5
- {“ip”: {“$regex”: “192.168.1.*”}} - Find entries matching IP pattern
{}.Include entries from both specified owner and “nobody” user.Default:
false.Number of items to skip from the start (alternative to offset).Default:
0.Field to sort entries by.Default:
"_key".Whether to verify SSL certificates.Default:
true.List sourcetypes
Action ID:tools.splunk.list_sourcetypes
List all defined sourcetypes on the Splunk server.
Reference: https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTsearch
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Adhoc search level.Default:
"fast".Splunk base URL (e.g. https://localhost:8089).Default:
null.Whether to verify SSL certificates.Default:
true.Search events
Action ID:tools.splunk.search_events
Search events from Splunk.
Reference: https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTsearch#search.2Fjobs
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
End time for the search.
Maximum number of events to return.
Splunk (Splunk Query Language) search query. You MUST start the query with
search, e.g. search index=main | head 10Start time for the search.
Adhoc search level.Default:
"fast".Splunk base URL (e.g. https://localhost:8089).Default:
null.Whether to verify SSL certificates.Default:
true.Submit HEC event
Action ID:tools.splunk.submit_hec_event
Submit an event to Splunk using the HTTP Event Collector (HEC). Uses HEC token authentication.
Reference: https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector
Secrets
Required secrets:splunk_hec: required valuesSPLUNK_HEC_TOKEN.
Input fields
Event data to send to Splunk. Can contain any key-value pairs.
Example: {“action”: “login”, “username”: “john”, “ip”: “192.168.1.100”}
Splunk HEC endpoint URL (e.g. https://localhost:8088 or https://tracecat.splunkcloud.com:8088).Default:
null.Host field value for the event.Default:
"tracecat.com".Splunk index to send the event to. If not specified, uses the default index configured for the HEC token.Default:
null.Event source identifier (e.g. application name, script name).Default:
"tracecat_workflow".Event source type for categorization and parsing rules.Default:
"tracecat_log".Whether to verify SSL certificates.Default:
true.Update KV entry
Action ID:tools.splunk.update_kv_entry
Update an existing entry in a KV Store collection in Splunk.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection containing the entry.
The _key value of the entry to update in the collection.
Example: “5f3a1b2c3d4e5f6a7b8c9d0e”
Fields to update in the entry. Only specified fields will be updated.
Example: {“status”: “completed”, “updated_at”: “2024-01-15”}
Splunk app context where the collection resides (e.g. “search” for default).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://tracecat.splunkcloud.com:8089).Default:
null.Splunk namespace owner for access control (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates.Default:
true.Upload CSV to KV Collection
Action ID:tools.splunk.upload_csv_to_kv_collection
Download a CSV file and upload its rows to a Splunk KV Store collection with create, append, or override modes.
Reference: https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints
Secrets
Required secrets:splunk: required valuesSPLUNK_API_KEY.
Input fields
Name of the KV Store collection to target.
URL pointing to the CSV file to ingest.
Splunk app context (e.g. search).Default:
"search".Splunk base URL (e.g. https://localhost:8089 or https://example.splunkcloud.com:8089). If not provided, falls back to the workspace variable
splunk.base_url.Default: null.Number of CSV rows to send per request. Lower this if you hit payload limits.Default:
500.Optional HTTP headers for downloading the CSV (e.g. Authorization).Default:
null.create: new collection, error if it exists. append: add to existing collection, error if missing. override: replace existing collection if present.Default:
"create".Allowed values: create, append, override.Splunk namespace owner (use “nobody” for shared access).Default:
"nobody".Whether to verify SSL certificates when downloading and uploading.Default:
true.