Splunk · Arazzo Workflow

Splunk Provision an Index and Attach a Monitor Input

Version 1.0.0

Create an event index, verify it, then create a file monitor input that feeds it.

1 workflow 1 source API 1 provider
View Spec View on GitHub AnalyticsData AnalysisLoggingMachine DataMonitoringObservabilityPlatformSecuritySIEMArazzoWorkflows

Provider

splunk

Workflows

provision-index-and-monitor
Create an index, confirm it, attach a monitor input, and confirm the input.
Creates a new event index, fetches it to verify, creates a monitor input targeting that index, and fetches the monitor input to confirm its configuration.
4 steps inputs: frozenTimePeriodInSecs, indexName, maxTotalDataSizeMB, monitorPath, sourcetype outputs: indexName, monitorIndex, monitorName
1
createIndex
createIndex
Create a new event index with the supplied retention and size settings.
2
verifyIndex
getIndex
Fetch the newly created index to confirm it exists and read back its configuration.
3
createMonitor
createMonitorInput
Create a file or directory monitor input that ingests new data into the index just provisioned.
4
verifyMonitor
getMonitorInput
Fetch the monitor input to confirm it is configured against the new index.

Source API Descriptions

openapi
splunkApi https://raw.githubusercontent.com/api-evangelist/splunk/refs/heads/main/openapi/splunk-enterprise-rest-api.yml

Arazzo Workflow Specification

splunk-provision-index-and-monitor-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Splunk Provision an Index and Attach a Monitor Input
  summary: Create an event index, verify it, then create a file monitor input that feeds it.
  description: >-
    A data-onboarding pattern. A new event index is created and read back to
    confirm its configuration, then a file or directory monitor input is created
    that ingests data into that index, and the monitor is read back to confirm
    it is wired up. Every step spells out its request inline so the flow can be
    read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: splunkApi
  url: ../openapi/splunk-enterprise-rest-api.yml
  type: openapi
workflows:
- workflowId: provision-index-and-monitor
  summary: Create an index, confirm it, attach a monitor input, and confirm the input.
  description: >-
    Creates a new event index, fetches it to verify, creates a monitor input
    targeting that index, and fetches the monitor input to confirm its
    configuration.
  inputs:
    type: object
    required:
    - indexName
    - monitorPath
    properties:
      indexName:
        type: string
        description: Name for the new index (e.g. "my_new_index").
      maxTotalDataSizeMB:
        type: integer
        description: Maximum total size of the index in MB.
      frozenTimePeriodInSecs:
        type: integer
        description: Seconds until data is frozen out of the index.
      monitorPath:
        type: string
        description: The file or directory path to monitor (e.g. "/var/log/syslog").
      sourcetype:
        type: string
        description: Source type to assign to data from the monitor input.
  steps:
  - stepId: createIndex
    description: >-
      Create a new event index with the supplied retention and size settings.
    operationId: createIndex
    parameters:
    - name: output_mode
      in: query
      value: json
    requestBody:
      contentType: application/x-www-form-urlencoded
      payload:
        name: $inputs.indexName
        datatype: event
        maxTotalDataSizeMB: $inputs.maxTotalDataSizeMB
        frozenTimePeriodInSecs: $inputs.frozenTimePeriodInSecs
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      name: $response.body#/name
      datatype: $response.body#/content/datatype
  - stepId: verifyIndex
    description: >-
      Fetch the newly created index to confirm it exists and read back its
      configuration.
    operationId: getIndex
    parameters:
    - name: name
      in: path
      value: $steps.createIndex.outputs.name
    - name: output_mode
      in: query
      value: json
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      maxTotalDataSizeMB: $response.body#/content/maxTotalDataSizeMB
      disabled: $response.body#/content/disabled
  - stepId: createMonitor
    description: >-
      Create a file or directory monitor input that ingests new data into the
      index just provisioned.
    operationId: createMonitorInput
    parameters:
    - name: output_mode
      in: query
      value: json
    requestBody:
      contentType: application/x-www-form-urlencoded
      payload:
        name: $inputs.monitorPath
        index: $steps.createIndex.outputs.name
        sourcetype: $inputs.sourcetype
        disabled: false
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      name: $response.body#/name
  - stepId: verifyMonitor
    description: >-
      Fetch the monitor input to confirm it is configured against the new index.
    operationId: getMonitorInput
    parameters:
    - name: name
      in: path
      value: $steps.createMonitor.outputs.name
    - name: output_mode
      in: query
      value: json
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      index: $response.body#/content/index
      sourcetype: $response.body#/content/sourcetype
  outputs:
    indexName: $steps.createIndex.outputs.name
    monitorName: $steps.createMonitor.outputs.name
    monitorIndex: $steps.verifyMonitor.outputs.index