> ## Documentation Index > Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt > Use this file to discover all available pages before exploring further. # Splunk > Reference for the Tracecat Splunk integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add fields to collection Action ID: `tools.splunk.add_kv_fields` Add field definitions to a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to add fields to. Must be unique and contain only alphanumeric characters, underscores, and hyphens. List of field definitions to add. Each field requires name and type. Supported types: array, number, bool, string, cidr, time Example: \[\{"name": "username", "type": "string"}, \{"name": "age", "type": "number"}] Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Batch save KV entries Action ID: `tools.splunk.batch_save_kv_entries` Insert or update multiple entries in a Splunk KV Store collection in a single request. If an entry includes a \_key that matches an existing document, it is updated; otherwise a new document is created. Processing stops on the first failure. Reference: [https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16](https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to save entries into. List of documents to save. Each document is a dict of field-value pairs. Include a \_key field to update an existing document; omit it to create a new one (Splunk auto-generates the key). Maximum 1000 documents per request (Splunk default). Example: \[\{"username": "john", "email": "[john@example.com](mailto:john@example.com)", "active": true}, \{"username": "jane", "email": "[jane@example.com](mailto:jane@example.com)", "active": false}] Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Create KV collection Action ID: `tools.splunk.create_kv_collection` Create a new KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection. Must be unique and contain only alphanumeric characters, underscores, and hyphens. Splunk app context where the collection will be created (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Create KV entry Action ID: `tools.splunk.create_kv_entry` Create a new entry in a Splunk KV Store collection. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection where the entry will be created. Key-value pairs to store in the collection. The \_key field is automatically generated by Splunk if not provided. Example: \{"username": "john", "email": "[john@example.com](mailto:john@example.com)", "active": true} Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Delete KV collection Action ID: `tools.splunk.delete_kv_collection` Delete a KV Store collection from Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to delete. Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Delete KV entry Action ID: `tools.splunk.delete_kv_entry` Delete an entry from a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection containing the entry. The \_key value of the entry to delete from the collection. Example: "5f3a1b2c3d4e5f6a7b8c9d0e" Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Discover fields Action ID: `tools.splunk.discover_fields` Discover fields in Splunk data using the fieldsummary command with statistics and sample values. Reference: [https://help.splunk.com/en?resourceId=Splunk\_SearchReference\_Fieldsummary\&version=splunk-9\_4](https://help.splunk.com/en?resourceId=Splunk_SearchReference_Fieldsummary\&version=splunk-9_4) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields End time for the search. Start time for the search. Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Index to search for fields. Use \* for all indexes. Default: `"*"`. Maximum number of fields to return. Default: `100`. Maximum number of sample values to return per field. Default: `5`. Whether to verify SSL certificates. Default: `true`. ## Get KV collection Action ID: `tools.splunk.get_kv_collection` Get configuration details for a specific KV Store collection from Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to retrieve. Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Get KV entry Action ID: `tools.splunk.get_kv_entry` Get a specific entry from a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection containing the entry. The \_key value of the entry to retrieve from the collection. Example: "5f3a1b2c3d4e5f6a7b8c9d0e" Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## List data models Action ID: `tools.splunk.list_data_models` List all data models on the Splunk server using native Splunk search. ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## List field extractions Action ID: `tools.splunk.list_field_extractions` List all configured field extraction rules using a simple Splunk query. ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## List indexes Action ID: `tools.splunk.list_indexes` List all indexes on the Splunk server using native Splunk search. ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## List KV collections Action ID: `tools.splunk.list_kv_collections` List all KV Store collections in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Splunk app context to list collections from (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Maximum number of collections to return. Default: `100`. Number of collections to skip for pagination. Default: `0`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Search query to filter collections. Example: "name=*whitelist*" to find collections with "whitelist" in the name. Default: `""`. Field to sort results by. Default: `"_key"`. How to sort values ("auto", "num", "alpha\_case", or "alpha"). Default: `"auto"`. Sort order ("asc" or "desc"). Default: `"asc"`. Return summarized response with fewer details for faster response. Default: `false`. Whether to verify SSL certificates. Default: `true`. ## List KV entries Action ID: `tools.splunk.list_kv_entries` List entries in a KV Store collection from Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to list entries from. Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Maximum number of entries to return. Default: `100`. Number of entries to skip for pagination. Default: `0`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. MongoDB-style query to filter entries. Supported operators: * Conditional: $gt, $gte, $lt, $lte, \$ne * Regex: \$regex * Logical: $and, $or, \$not Examples: * \{"title": "Item"} - Find entries where title equals "Item" * \{"price": \{"\$gt": 5}} - Find entries where price > 5 * \{"ip": \{"\$regex": "192.168.1.\*"}} - Find entries matching IP pattern Default: `{}`. Include entries from both specified owner and "nobody" user. Default: `false`. Number of items to skip from the start (alternative to offset). Default: `0`. Field to sort entries by. Default: `"_key"`. Whether to verify SSL certificates. Default: `true`. ## List sourcetypes Action ID: `tools.splunk.list_sourcetypes` List all defined sourcetypes on the Splunk server. Reference: [https://help.splunk.com/en?resourceId=Splunk\_RESTREF\_RESTsearch\&version=splunk-9\_4](https://help.splunk.com/en?resourceId=Splunk_RESTREF_RESTsearch\&version=splunk-9_4) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## Search events Action ID: `tools.splunk.search_events` Search events from Splunk. Reference: [https://help.splunk.com/en?resourceId=Splunk\_RESTREF\_RESTsearch\&version=splunk-9\_4#search.2Fjobs](https://help.splunk.com/en?resourceId=Splunk_RESTREF_RESTsearch\&version=splunk-9_4#search.2Fjobs) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields End time for the search. Maximum number of events to return. Splunk (Splunk Query Language) search query. You MUST start the query with `search`, e.g. `search index=main | head 10` Start time for the search. Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## Submit HEC event Action ID: `tools.splunk.submit_hec_event` Submit an event to Splunk using the HTTP Event Collector (HEC). Uses HEC token authentication. Reference: [https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector](https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector) ### Secrets Required secrets: * `splunk_hec`: required values `SPLUNK_HEC_TOKEN`. ### Input fields Event data to send to Splunk. Can contain any key-value pairs. Example: \{"action": "login", "username": "john", "ip": "192.168.1.100"} Splunk HEC endpoint URL (e.g. [https://localhost:8088](https://localhost:8088) or [https://tracecat.splunkcloud.com:8088](https://tracecat.splunkcloud.com:8088)). Default: `null`. Host field value for the event. Default: `"tracecat.com"`. Splunk index to send the event to. If not specified, uses the default index configured for the HEC token. Default: `null`. Event source identifier (e.g. application name, script name). Default: `"tracecat_workflow"`. Event source type for categorization and parsing rules. Default: `"tracecat_log"`. Whether to verify SSL certificates. Default: `true`. ## Update KV entry Action ID: `tools.splunk.update_kv_entry` Update an existing entry in a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection containing the entry. The \_key value of the entry to update in the collection. Example: "5f3a1b2c3d4e5f6a7b8c9d0e" Fields to update in the entry. Only specified fields will be updated. Example: \{"status": "completed", "updated\_at": "2024-01-15"} Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Upload CSV to KV Collection Action ID: `tools.splunk.upload_csv_to_kv_collection` Download a CSV file and upload its rows to a Splunk KV Store collection with create, append, or override modes. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to target. URL pointing to the CSV file to ingest. Splunk app context (e.g. search). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://example.splunkcloud.com:8089](https://example.splunkcloud.com:8089)). If not provided, falls back to the workspace variable `splunk.base_url`. Default: `null`. Number of CSV rows to send per request. Lower this if you hit payload limits. Default: `500`. Optional HTTP headers for downloading the CSV (e.g. Authorization). Default: `null`. create: new collection, error if it exists. append: add to existing collection, error if missing. override: replace existing collection if present. Default: `"create"`. Allowed values: `create`, `append`, `override`. Splunk namespace owner (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates when downloading and uploading. Default: `true`.