Set up a POST workflow action POST workflow action
You set up POST workflow actions in a manner similar to that of GET link actions. However, POST requests are typically defined by a form element in HTML along with some inputs that are converted into POST arguments. This means that you have to identify POST arguments to send to the identified URI.
1.
1. Navigate to Settings > Fields > Workflow ActionsSettings > Fields > Workflow Actions.
2.
2. Click NewNew to open up a new workflow action form.
3.
3. Define a LabelLabel for the action.
The LabelLabel field enables you to define the text that is displayed in either the field or event workflow menu. Labels can be static or include the value of relevant fields.
4.
4. Determine whether the workflow action applies to specific fields or event types in your data.
Use Apply only to the following fieldsApply only to the following fields to identify one or more fields. When you identify fields, the workflow action only appears events that have those fields, either in their event menu or field menus. If you leave it blank or enter an asterisk the action appears in menus
Use Apply only to the following event typesApply only to the following event types to identify one or more event types. If you identify an event type, the workflow action only appears in the event menus for events that belong to the event type.
5.
5. For Show action inShow action in determine whether you want the action to appear in the Event menuEvent menu, the Fields menus
Fields menus, or BothBoth.
6.
6. Set Action typeAction type to LinkLink.
7.
7. Under URIURI provide the URI for a web resource that responds to POST requests.
8.
8. Under Open link inOpen link in, determine whether the workflow action displays in the current window or if it opens the link in a new window.
9.
9. Set Link methodLink method to PostPost.
10.
10. Under Post argumentsPost arguments define arguments that should be sent to web resource at the identified URI.
These arguments are key and value combinations. On both the key and value sides of the argument, you can use field names enclosed in dollar signs to identify the field value from your events that should be sent over to the resource. You can define multiple key/value arguments in one POST workflow action.
Enter the key in the first field, and the value in the second field. Click Add another fieldAdd another field to create an additional POST argument.
11.
11. Click SaveSave to save your workflow action definition.
Splunk Enterprise automatically HTTP-form encodes variables that it passes in POST link actions via URIs. This means you can include values that have spaces between words or punctuation characters.
Example - Allow an http error
Example - Allow an http error to create an entry to create an entry in an issue tracking applicationin an issue tracking application You have configured your Splunk Enterprise app to extract HTTP status codes from a web service log as a field calledhttp_status . Along with theht t p_st at us field the events typically contain either a normal single-line description request, or a multiline python stacktrace
srcinating from the python process that produced an error.
You want to design a workflow action that only appears for error events wherehttp_status is in the 500 range. You want the workflow action to send the associated python stacktrace and the HTTP status code to an external issue management system to generate a new bug report.
However, the issue management system only accepts POST requests to a specific endpoint.
Here's how you might set up the POST workflow action that fits your requirements:
166
Note that the first POST argument sendsser ver er r or $ht t p_st at us$ to at i t l e field in the external issue tracking system. If you select this workflow action for an event with an
ht t p_st aus of500, then it opens an issue with the titleser ver er r or 500 in the issue tracking system.
The second POST argument uses the _r aw field to include the multiline python stacktrace in the descr i pt i on field of the new issue.
Finally, note that the workflow action has been set up so that it only applies to events belonging to theer r or s_ i n_500_r ange event type. This is an event type that is only applied to events carryinghttp_error values in the typical HTTP error range of 500 or greater. Events with HTTP error codes below 500 do not display the submit error report workflow action in their event or field menus.
168
Lab 19 Tagging
Tagging
Tags are used to label specific values of a ffield. For example, many names of servers may not be immediately recognized, and using a tag format can help them be more easily recognizable or distinguishable from each other.
To tag the value of a ffield, use the following steps:
1. Go to SettingsSettings | TagsTags. A window will open, as shown in the following screenshot:
Adding Tags
2. Under List by tag nameList by tag name, click Add newAdd new.
3. Here we want to tag an item as ITEM14ITEM14whenever the value of itemId=EST-14
itemId=EST-14, as shown in the following screenshot:
Naming Tags and Specifying Ffield Value Pairs
4. You will now see your tag listed as shown in the following screenshot:
List by Tag Name
170
5. Go back to the event list and click the > sign next to an event. You will see details of the event open up in a way similar to that presented in the following screenshot. You can see here thatitemid=EST-14itemid=EST-14has been tagged asITEM14ITEM14.
Now everywhere thatEST-14EST-14occurs, it will be tagged asITEM14ITEM14.
Note that itemid=EST-14 has been tagged as ITEM14
Tags enable you to search more easily and to convey meaning about the field values. When you search tag=ITEM14tag=ITEM14, all the cases where itemid=EST-14itemid=EST-14 show up. By using tags in this manner, you can facilitate your analysis.
Settingeventtypes
Another way of preparing data to be reported is to set event types, which let you put events into categories. When setting event types, you can use wildcards, field values, and Boolean expressions. This capability makes event types more versatile and powerful than tags, for which you can only use field values. As with tags, you can choose the categories you like.
When setting event types, be aware of the following:
1. You can't do a sub-search to create an Event typeEvent type.
2. You can't use pipes in a search that create an Event typeEvent type.
As an example of how to create an Event typeEvent type, take the following steps using the but t er cupgamesile:
° Enter this into the search bar:
sourcetype="access_*" status=200 action=purchase sourcetype="access_*" status=200 action=purchase
° This creates a search for events where the sourcetype is an accessed web page, the access was successful (status=200), and it ended in a purchase:
Search that will be saved as an Event Type
172
3. Click Save As | Event TypeSave As | Event Typein the upper-right corner of the screen and create a name for the event type. In this case, we have used the name successsuccess.
4. In this screenshot, when we enterbut t er cupgames | st at s count by event t ype, we get a count of each event type. In this case, we have only one event type, so we get only one count in our table, but we could easily put other event types in:
Shows Count by Eventtype
5. If you want to remove an event type, go to Settings | Event typesSettings | Event types, and you will get a screen similar to what is shown in the following screenshot. Just ind the event type you want to remove and click on DeleteDelete:
Event Types (Notice that you can Delete the one you just made.)
174