Skip to main content
Triggers a workflow on every new event retrieved out of the search query. Important Note: The use of sorting in your search query is not permitted.
Workflows based on this trigger will search for new events every 5 minutes.

Parameters

ParameterDescription
Ad Hoc Search LevelThe search level of the created search. For more information, refer to the Splunk Documentation.
Execution ModeSet to normal, in order to run an asynchronous search.

Set to blocking, in order to return the sid when the job is complete.
SearchThe search query the created job will run.

Important Note: The use of sorting in your search query is not permitted.
Search ModeSet to realtime to search live incoming data, or normal to run a one-time search over historical indexed data.

Sample Event

{
	"_bkt": "notable~17~xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
	"_cd": "17:xxxxxxxx",
	"_eventtype_color": "none",
	"_indextime": "xxxxxxxxxx",
	"_raw": "xxxxxxxxxx, search_name=\"Threat - External Authentication from Unexpected Location - Rule\", action=\"success\", city=\"Kempton Park (Isando)\", country=\"South Africa\", event_source=\"AAD\", event_time=\"2024-05-28 05:18:55 CDT\", first_event=\"2024-05-28 05:18:55 CDT\", info_max_time=\"xxxxxxxxxx.xxxxxxxxx\", info_min_time=\"xxxxxxxxxx.xxxxxxxxx\", info_search_time=\"xxxxxxxxxx.xxxxxxxxx\", last_event=\"2024-05-28 05:20:36 CDT\", region=\"Gauteng\", src=\"xxx.xxx.xxx.xxx\", user=\"xxxxxx.xxxxxx@xxxxxxx.xxx\"",
	"_serial": "0",
	"_si": [
		"idx20",
		"notable"
	],
	"_sourcetype": "stash",
	"_time": "2024-05-28T06:00:13.000-05:00",
	"action": "success",
	"city": "Kempton Park (Isando)",
	"country": "South Africa",
	"event_hash": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"event_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"event_source": "AAD",
	"event_time": "2024-05-28 05:18:55 CDT",
	"eventtype": [
		"modnotable_results",
		"notable"
	],
	"first_event": "2024-05-28 05:18:55 CDT",
	"host": "sh04",
	"index": "notable",
	"indexer_guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
	"info_max_time": "xxxxxxxxxx.xxxxxxxxx",
	"info_min_time": "xxxxxxxxxx.xxxxxxxxx",
	"info_search_time": "xxxxxxxxxx.xxxxxxxxx",
	"last_event": "2024-05-28 05:20:36 CDT",
	"linecount": "1",
	"orig_action_name": "notable",
	"orig_rid": "1",
	"orig_sid": "scheduler__nobody__SplunkEnterpriseSecuritySuite__RMDxxxxxxxxxxxxxxxx_at_xxxxxxxxxx_xxxxx",
	"region": "Gauteng",
	"rule_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"search_name": "Threat - External Authentication from Unexpected Location - Rule",
	"source": "Threat - External Authentication from Unexpected Location - Rule",
	"sourcetype": "stash",
	"splunk_server": "idx20",
	"src": "xxx.xxx.xxx.xxx",
	"src_is_expected": "false",
	"src_pci_domain": "untrust",
	"src_requires_av": "false",
	"src_should_timesync": "false",
	"src_should_update": "false",
	"tag": [
		"modaction_result",
		"success"
	],
	"tag::action": "success",
	"tag::eventtype": "modaction_result",
	"timestamp": "none",
	"user": "xxxxxx.xxxxxx@xxxxxxx.xxx",
	"user_watchlist": "false"
}