Splunk connector powered by Jitterbit

Use the BMC Helix iPaaS Splunk Connector to easily integrate BMC Helix ITSM and Splunk to sync incidents and events. A specific Splunk connection and its activities together are referred to as a Splunk endpoint. Use the connector to perform the following actions:

  • Configure the connection to create an authenticated Splunk connection by entering credentials.
  • Configure associated Splunk activities that interact with the connection to be used either as a source to provide data within an operation, or as a target to consume data within an operation.
  • Use the connector activities to perform the following actions: 
    • Create, retrieve, update, and delete alerts
    • Retrieve events
    • Retrieve all fired alerts or specific fired alerts by name and delete a fired alert

Supported API versions and prerequisites

The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.

The Splunk connector requires the use of an agent version  10.1  or later. These agent versions automatically download the latest version of the connector when required.

Splunk connector updates

  • The Delete Fired Alerts activity has been added to the connector activities. Use this activity to delete a fired alert in Splunk. 
  • Splunk alert actions have been added for the Create Alert, Update Alert, and Get Alert activities. Alert actions help you respond to triggered alerts. The following actions are available:
    • Webhook— Send an HTTP POST request to specified URL
    • Email—Send an email with the results to the specified recipients
    • Script—Runs a predefined script
    • Logevent—Send log events to a Splunk endpoint
    • Outputtelemetry—Send usage metrics to Splunk
    • LookupWrite search results to a static lookup table, or KV store collection
    Enable the required action, and define required values for the action in the Request schema when designing the operation for the activity. 

To configure the Splunk connection

  1. From the design canvas, open the Connectivity tab  of the design component palette.
  2. Perform one of the following actions:
    • To configure a new Splunk connection, use Show to filter on Connectors, and then click the Splunk connector block:
    • To configure an existing Splunk connection, use Show to filter on Endpoints, and then double-click the Splunk connector block:

  3. On the configuration screen, enter the following configuration values:

    Tip

    Fields with a variable icon  support using  global variables project variables , and Jitterbit variables , type an open square bracket [ into the field or click the variable icon.

    Field NameAction
    Endpoint NameEnter a name to identify the Splunk connection and the Splunk endpoint, which refers to both a specific connection and its activities. The name must be unique for each Splunk connection and must not contain forward slashes (/) or colons (:).
    Splunk HostEnter the host URL of the Splunk instance.
    Splunk PortEnter the port for the Splunk instance.
    UsernameEnter the user name to log in to Splunk.
    PasswordEnter the password for the user name to log in to Splunk.


    Important

    If you click Delete while creating a new connection, an error is displayed. For more information, see  Component Dependencies, Deletion, and Removal .

  4. Click Save Changes.
    After configuring the Splunk connection, configure one or more associated activities with that connection. For more information about creating an activity, see Creating a Splunk activity.

To create a Splunk activity 

  1. From the design canvas, open the Connectivity tab of the design component palette:
  2. To display activities that are available to be used with a Splunk connection, use Show to filter on Endpoints, and then click the Splunk connector block:

    The following activities are available. For more information about configuring these activities, see the specific activity sections.

    Activity nameDescription
    Create AlertPlaces Splunk alert data into a Splunk endpoint and is intended to be used as a target in an operation.
    Get AlertFinds Splunk alert data at a Splunk endpoint and is intended to be used as a source in an operation.
    Get EventsFinds Splunk event data at a Splunk endpoint and is intended to be used as a source in an operation.
    Get All Fired AlertsFinds data for all fired alerts at a Splunk endpoint and is intended to be used as a source in an operation.
    Get Fired Alert By NameFinds the Splunk alert data based on the name at a Splunk endpoint and is intended to be used as a source in an operation.
    Update AlertPlaces Splunk alert data updates into a Splunk endpoint and is intended to be used as a target in an operation.
    Delete AlertDeletes Splunk alert data from a Splunk endpoint and is intended to be used as a target in an operation.
    Delete Fired AlertsDeletes fired alert data from a Splunk endpoint and is intended to be used as a target in an operation.
  3. To create an activity that can be configured, drag the activity block  from the palette to the operation.

For more information about the parts of an operation and how to add activities to operations, see  Operation Creation and Configuration

To configure a Splunk Create Alert activity 

A Splunk Create Alert activity places alert data into a Splunk endpoint and is intended to be used as a target to consume data in an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Create activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field NameAction
    Name

    Enter a name to identify the Splunk Create Alert activity.

    The name must be unique for each Splunk Create Alert activity and must not contain forward slashes (/) or colons (:).

    Alert NameEnter a name for the alert to be created.
    Search CriteriaEnter the search criteria for the alert to be created.
    Alert Dispatch Earliest TimeEnter the earliest value for the search time range.
    Alert Dispatch Latest TimeEnter the latest value for the search time range.
    CRON Schedule

    Enter a cron expression to schedule the alert search. The cron expression is a string of the following five fields from left to right, separated by spaces:

    • Minute: 0-59
    • Hour: 0-23
    • Day of the month: 1-31
    • Month: 1-12
    • Day of the week: 0-6 (where 0 = Sunday) For details of defining a cron expression, see the Use cron expressions for alert scheduling  topic in the Splunk documentation.
    Additional field for alert creation

    To select the following additional Splunk fields to define for the alert, click Add.

    • Name: Select a field from the list.
    • Value: Enter a value for the selected field.
    Optional Settings

    Click to view the following additional optional setting:

    • JSON input (This event definition overrides the prior selections): Enter the Key-Value pair for the alert fields. Use the {"Key": "Value"} or [{"Key": "Value"}] format.



  3. Click Next.

  4. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Create Alert activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 

    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.

  5. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as steps in an operation. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

To configure actions for the Create Alert activity

The Splunk connector upgrade allows you to configure actions when creating an operation by using the Create Alert activity. To add an action when configuring the Create Alert operation:

  1. Open the request transformation element of the operation you create.
  2. In the Target schema, double-click the actions (string) field, and add the actions to configure. 

    For example, to configure all available actions, enter:

    <trans>
    'webhook,email,script,logevent,outputtelemetry,lookup'
    </trans>

    To configure only webhook, enter:

    <trans>
    'webhook'
    </trans>

  3. Double-click the configuration fields related to the actions you added and add the required values. 
    For example, if you selected webhook, add the webhook URL to the action.webhook.param.url in the target request schema.

  4. Click Return to Workflow

Splunk Create Alert operation patterns

Splunk Create Alert activities can be used as a target with these operation patterns:

  • Transformation Pattern
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Create Alert activities. For more information about the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Create Alert activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Create Alert Request) creates a request structure that is passed to the Splunk Create Alert activity. The second transformation (Splunk Create Alert Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Create Alert Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:


Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Get Alert activity 

A Splunk Get Alert activity retrieves alert data at a Splunk endpoint and is intended to be used as a source to provide data to an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each connection.

To configure a Splunk Get Alert activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field NameAction
    NameEnter a name to identify the Splunk Get Alert activity. The name must be unique for each Splunk Get Alert activity and must not contain forward slashes (/) or colons (:).
    Alert NameEnter the name of the Splunk alert you want to retrieve.


  3. Click Next.
  4. Review the request and response data schemas for your Splunk instance.
    The data schemas list the fields available for the Splunk Get Alert activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more.
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.

  5. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Get Alert operation patterns

Splunk Get Alert activities can be used as a source with these operation patterns:

  • Transformation Pattern
  • Two-Target Archive Pattern (as the first source only)
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Get Alert activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Get Alert activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Get Alert Request) creates a request structure that is passed to the Splunk Get Alert activity. The second transformation(Splunk Get Alert Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Get Alert Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Get Events activity 

A Splunk Get Events activity finds an event at a Splunk endpoint and is intended to be used as a source to provide data to an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Get Events activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field NameAction
    NameEnter a name to identify the Splunk Get Events activity. The name must be unique for each Splunk Get Events activity and must not contain forward slashes (/) or colons (:).
    Search ID
    Enter the ID of the event to be retrieved.
    Maximum number of records to be processed Enter a value for the maximum number of records to be processed for this data.
    Maximum number of records to be fetched per page (Max allowed value = 200)Enter a value between 1 and 200 to define the number of records to be displayed per page.


  3. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Get Events activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.
  4. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Get Events operation patterns

Splunk Get Events activities can be used as a source with these operation patterns:

  • Transformation Pattern
  • Two-Target Archive Pattern (as the first source only)
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Get Events activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Get Events activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Get Events Request) creates a request structure that is passed to the Splunk Get Events activity. The second transformation (Splunk Get Events Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Get Events Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:

Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Get All Fired Alerts activity 

A Splunk Get All Fired Alerts activity finds data for alerts fired at a Splunk endpoint and is intended to be used as a source to provide data to an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Get All Fired Alerts activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field NameAction
    NameEnter a name to identify the Splunk Get All Fired Alerts activity. The name must be unique for each Splunk Get All Fired Alerts activity and must not contain forward slashes (/) or colons (:).
    Maximum number of records to be processed
    Enter a value for maximum number of records to process for this data.
    Maximum number of records to be fetched per page
    (Max allowed value = 200)
    Enter a value between 1 and 200 to define the number of records to be displayed per page.


  3. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Get All Fired Alerts activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.
  4. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Get All Fired Alerts operation patterns

Splunk Get All Fired Alerts activities can be used as a source with these operation patterns:

  • Transformation Pattern
  • Two-Target Archive Pattern (as the first source only)
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Get All Fired Alerts activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Get All Fired Alerts activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Get All Fired Alerts Request) creates a request structure that is passed to the Splunk Get All Fired Alerts activity. The second transformation (Splunk Get All Fired Alerts Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Get All Fired Alerts Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:

Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Get Fired Alert By Name activity 

A Splunk Get Fired Alert By Name activity finds a Splunk alert based on the name at a Splunk endpoint and is intended to be used as a source to provide data to an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Get Fired Alert by Name activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field NameAction
    NameEnter a name to use to identify the Splunk Get Fired Alert By Name activity. The name must be unique for each Splunk Get Fired Alert By Name activity and must not contain forward slashes (/) or colons (:).
    Alert Name
    Enter the name of the fired alert.
    Maximum number of records to be processedEnter a value for the maximum number of records to be processed for this data.
    Maximum number of records to be fetched per page (Max Allowed Value = 200)Enter a value between 1 and 200 to define the number of records to be displayed per page.


  3. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Get Fired Alert by Name activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.
  4. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Get Fired Alert by Name operation patterns

Splunk Get Fired Alert By Name activities can be used as a source with these operation patterns:

  • Transformation Pattern
  • Two-Target Archive Pattern (as the first source only)
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Get Fired Alert By Name activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Get Fired Alert By Name activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Get Fired Alert By Name Request) creates a request structure that is passed to the Splunk Get Fired Alert By Name activity. The second transformation (Splunk Get Fired Alert By Name Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Get Fired Alert By Name Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:

Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Update Alert activity 

A Splunk Update Alert activity places data to be updated for a Splunk alert into a Splunk endpoint and is intended to be used as a target to consume data in an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Update Alert activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field NameAction
    NameEnter a name to identify the Splunk Update Alert activity. The name must be unique for each Splunk Update Alert activity and must not contain forward slashes (/) or colons (:).
    Alert NameEnter a name for the alert to be updated.
    Search CriteriaEnter the search criteria for the alert to be updated.
    Alert Dispatch Earliest TimeEnter the earliest value for the search time range.
    Alert Dispatch Latest TimeEnter the latest value for the search time range.
    Additional field for alert creation

    To select additional Splunk fields to define for the alert, click Add.

    • Name: Select a field from the list.
    • Value: Enter a value for the selected field.
    Optional Settings

    Click to view the following additional optional setting:

    • JSON input (This event definition overrides the prior selections): Enter the Key-Value pair for the alert fields. Use the {"Key": "Value"} or [{"Key": "Value"}] format.


  3. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Update Alert activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.
  4. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Update Alert operation patterns

Splunk Update Alert activities can be used as a target with these operation patterns:

  • Transformation Pattern
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Update Alert activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Update Alert activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Update Alert Request) creates a request structure that is passed to the Splunk Update Alert activity. The second transformation (Splunk Update Alert Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Update Alert Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:

Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

 When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Delete Fired Alert activity 

A Splunk Delete Fired Alert activity places fired alert data from a Splunk endpoint and is intended to be used as a target to consume data in an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Delete Fired Alert activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field nameAction
    NameEnter a name to identify the Splunk Delete Fired Alert activity. The name must be unique for each Splunk Delete Fired Alert activity and must not contain forward slashes (/) or colons (:).
    Fired Alert Name IDEnter the ID of the fired alert to be deleted.


  3. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Delete Fired Alert activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.
  4. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Delete Fired Alert operation patterns

Splunk Delete Alert activities can be used as a target with these operation patterns:

  • Transformation Pattern
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Delete Fired Alert activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Delete Fired Alert activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Delete Fired Alert Request) creates a request structure that is passed to the Splunk Delete Fired Alert activity. The second transformation (Splunk Delete Fired Alert Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Delete Alert Response) and a message is then logged by the Write to Operation Log script:

Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

To configure a Splunk Delete Alert activity 

A Splunk Delete Alert activity places alert data from a Splunk endpoint and is intended to be used as a target to consume data in an operation. After configuring a Splunk connection, you can configure as many Splunk activities as you like for each Splunk connection.

To configure a Splunk Delete Alert activity, complete the following steps:

  1. After you add the activity to an operation, double-click the activity block.
  2. On the configuration screen, enter a name and specify the following activity settings:

    Field nameAction
    NameEnter a name to identify the Splunk Delete Alert activity. The name must be unique for each Splunk Delete Alert activity and must not contain forward slashes (/) or colons (:).
    Alert NameEnter the name of the Splunk alert to be deleted.


  3. Review the request and response data schemas displayed for your Splunk instance. 
    The data schemas list the fields available for the Splunk Delete Alert activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
    The Splunk connector uses the  Splunk REST API v8.1.0 . For more information about the schema fields, see the API documentation.
  4. Click Finished.
    After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as operation steps. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

Splunk Delete Alert operation patterns

Splunk Delete Alert activities can be used as a target with these operation patterns:

  • Transformation Pattern
  • Two-Transformation Pattern  (as the first or second source)

You cannot use other patterns for the Splunk Delete Alert activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use a Splunk Delete Alert activity in the Two-Transformation Pattern. In this example, the first transformation (Splunk Delete Alert Request) creates a request structure that is passed to the Splunk Delete Alert activity. The second transformation (Splunk Delete Alert Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write Splunk Delete Alert Response) and a message is then logged by the Write to Operation Log script, as shown in the following image:

Tip

To use the activity with scripting functions, write the data to a temporary location and then use that temporary location in the scripting function. 

When ready, deploy and run the operation and validate behavior by checking the operation logs .

Was this page helpful? Yes No Submitting... Thank you

Comments