Splunk — ARX Docs

Overview¶

The Splunk connector integrates ARX with Splunk Enterprise and Splunk Cloud REST APIs, providing programmatic access to search, security event management, and administrative functions. It supports 20 operations across seven API families.

Authentication: Bearer token (Splunk authentication tokens).
Key capabilities:
Create and manage search jobs with SPL queries
Execute one-shot and streaming searches
Query and update notable events in Splunk Enterprise Security
Manage fired alerts and saved searches
Read and write to KV Store collections
Manage data inputs and indexes
List dashboards and views

All operations are policy-evaluated and audit-logged through the ARX BaseConnector framework.

Prerequisites¶

Requirement	Details
Splunk Instance	Splunk Enterprise or Splunk Cloud with REST API access enabled
Base URL	The Splunk management API URL (e.g., `https://your-instance:8089`)
Auth Token	A Splunk authentication token created under Settings > Tokens (or via `splunk auth-token create`)
Splunk ES	Enterprise Security app required for notable event operations (`notable:*`)
Permissions	Token must have roles with appropriate capabilities: `search`, `edit_notable_events`, `list_inputs_all`, `indexes_edit`, etc.

Store credentials in the ARX vault under the key splunk with fields base_url and token.

SDK Usage¶

from arxsec import ARXClient

arx = ARXClient()

# Execute a one-shot search
results = await arx.execute(
    connector="splunk",
    operation="search:oneshot",
    params={
        "search": "search index=main sourcetype=syslog error | stats count by host",
        "earliest_time": "-4h",
        "latest_time": "now",
        "max_count": 1000,
    },
)

# Query notable events from Enterprise Security
notables = await arx.execute(
    connector="splunk",
    operation="notable:read",
    params={
        "earliest_time": "-24h",
        "latest_time": "now",
        "count": 50,
    },
)

# Update a notable event status
await arx.execute(
    connector="splunk",
    operation="notable:update",
    params={
        "ruleUIDs": ["notable_uid_here"],
        "status": "2",
        "urgency": "high",
    },
)

Operations¶

Search API (6 operations)¶

Operation ID	Description	Risk	Method
`search:create`	Create a new search job	MEDIUM	POST
`search:read`	Get search job status and metadata	LOW	GET
`search:results`	Get results for a completed search job	LOW	GET
`search:cancel`	Cancel and delete a search job	LOW	DELETE
`search:export`	Export search results (streaming)	LOW	GET
`search:oneshot`	Execute an immediate one-shot search and return results	MEDIUM	POST

Notable Events / Enterprise Security (3 operations)¶

Operation ID	Description	Risk	Method
`notable:read`	Query notable events from Splunk ES	LOW	GET
`notable:update`	Update notable event status/urgency/owner	MEDIUM	POST
`notable:comment`	Add a comment to a notable event	LOW	POST

Alerts (3 operations)¶

Operation ID	Description	Risk	Method
`alerts:read`	List all triggered/fired alerts	LOW	GET
`alerts:read_saved`	List saved searches and alert definitions	LOW	GET
`alerts:suppress`	Suppress a fired alert by name	MEDIUM	POST

KV Store (3 operations)¶

Operation ID	Description	Risk	Method
`kvstore:read`	Read records from a KV store collection	LOW	GET
`kvstore:write`	Write/insert records into a KV store collection	MEDIUM	POST
`kvstore:delete`	Delete a record from a KV store collection	MEDIUM	DELETE

Data Inputs (2 operations)¶

Operation ID	Description	Risk	Method
`inputs:read`	List all data inputs	LOW	GET
`inputs:write`	Create a new data input	HIGH	POST

Index Management (2 operations)¶

Operation ID	Description	Risk	Method
`indexes:read`	List all available indexes	LOW	GET
`indexes:write`	Create a new index	HIGH	POST

Dashboards (1 operation)¶

Operation ID	Description	Risk	Method
`dashboards:read`	List dashboards and views	LOW	GET

Risk Classifications¶

Level	Criteria	Examples
LOW	Read operations, queries, status checks, comments, cancellations	`search:read`, `search:results`, `notable:read`, `notable:comment`, `alerts:read`, `kvstore:read`, `inputs:read`, `indexes:read`, `dashboards:read`
MEDIUM	Write operations that create searches, update event status, suppress alerts, or modify KV store data	`search:create`, `search:oneshot`, `notable:update`, `alerts:suppress`, `kvstore:write`, `kvstore:delete`
HIGH	Infrastructure changes that create new data inputs or indexes, affecting data ingestion and storage	`inputs:write`, `indexes:write`

Policy Examples¶

Allow SOC analysts to search and triage notables¶

rules:
  - name: "Allow search and notable read"
    connector: splunk
    operations:
      - "search:*"
      - "notable:read"
      - "notable:comment"
      - "alerts:read"
      - "alerts:read_saved"
    action: allow

  - name: "Allow notable updates with audit"
    connector: splunk
    operations:
      - "notable:update"
    action: allow
    audit: verbose

Block infrastructure changes in production¶

rules:
  - name: "Deny input and index creation"
    connector: splunk
    operations:
      - "inputs:write"
      - "indexes:write"
    action: deny
    reason: "Infrastructure changes must go through change management"

  - name: "Allow index and input reads"
    connector: splunk
    operations:
      - "inputs:read"
      - "indexes:read"
    action: allow

Restrict KV Store writes to automation service accounts¶

rules:
  - name: "KV Store writes for automation only"
    connector: splunk
    operations:
      - "kvstore:write"
      - "kvstore:delete"
    action: allow
    conditions:
      agent_role: automation_svc

  - name: "Deny KV Store writes for all others"
    connector: splunk
    operations:
      - "kvstore:write"
      - "kvstore:delete"
    action: deny