search

splunk / terraform-provider-splunk

Terraform Provider for Splunk
Mozilla Public License 2.0
103 stars 75 forks source link

How can we logevent result to the new index of the saved query in splunk using terraform? #134

Open ShubhangiUpadhyay opened 2 years ago

infoseckyle commented 2 years ago

You should be able to use the normal splunk | collect command.

ShubhangiUpadhyay commented 2 years ago

For instance I need to log an event in the new index using this : { name = "TEST_Splunk_Search - AWS - test", search = "index=cloudtrail | stats count by ClientIP", description = "This is the test Detection for AWS", dispatch_earliest_time = "rt-60m" dispatch_latest_time = "rt-0m" cron_schedule = "/5 *", is_scheduled = true disabled = false actions = "logevent" action_logevent_index= "test" }

  alternative for "action.logevent.param.index"
infoseckyle commented 2 years ago

You'll need to modify your search query to perform the summary index function. 

{
name = "TEST_Splunk_Search - AWS - test",
search = "index=cloudtrail | stats count by ClientIP | collect index=summary",
description = "This is the test Detection for AWS",
dispatch_earliest_time = "rt-60m"
dispatch_latest_time = "rt-0m"
cron_schedule = "*/5 * * * *",
is_scheduled = true
disabled = false
actions = "logevent"
action_logevent_index= "test"
}

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect