Skip to main content

New Query Search Event

Triggers a workflow on every new event retrieved out of the search query. Note, do not use sorting in your search query.

info

Automations based on this trigger will search for new events every 5 minutes.

Parameters

ParameterDescription
Ad Hoc Search LevelThe search level of the created search. For more information, refer to the Splunk Documentation.
Execution ModeIf set to normal, runs an asynchronous search. If set to blocking, returns the sid when the job is complete. If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml. Does not return the search ID.
Search ModeIf set to realtime, search runs over live data. A real-time search may also be indicated by earliesttime and latesttime variables starting with 'rt' even if the searchmode is set to normal or is unset. For a real-time search, if both earliesttime and latest_time are both exactly 'rt', the search represents all appropriate live data received since the start of the search.
searchThe search query the created job will run.

Sample Event

{
"_bkt": "notable~17~xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"_cd": "17:xxxxxxxx",
"_eventtype_color": "none",
"_indextime": "xxxxxxxxxx",
"_raw": "xxxxxxxxxx, search_name=\"Threat - External Authentication from Unexpected Location - Rule\", action=\"success\", city=\"Kempton Park (Isando)\", country=\"South Africa\", event_source=\"AAD\", event_time=\"2024-05-28 05:18:55 CDT\", first_event=\"2024-05-28 05:18:55 CDT\", info_max_time=\"xxxxxxxxxx.xxxxxxxxx\", info_min_time=\"xxxxxxxxxx.xxxxxxxxx\", info_search_time=\"xxxxxxxxxx.xxxxxxxxx\", last_event=\"2024-05-28 05:20:36 CDT\", region=\"Gauteng\", src=\"xxx.xxx.xxx.xxx\", user=\"xxxxxx.xxxxxx@xxxxxxx.xxx\"",
"_serial": "0",
"_si": [
"idx20",
"notable"
],
"_sourcetype": "stash",
"_time": "2024-05-28T06:00:13.000-05:00",
"action": "success",
"city": "Kempton Park (Isando)",
"country": "South Africa",
"event_hash": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"event_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"event_source": "AAD",
"event_time": "2024-05-28 05:18:55 CDT",
"eventtype": [
"modnotable_results",
"notable"
],
"first_event": "2024-05-28 05:18:55 CDT",
"host": "sh04",
"index": "notable",
"indexer_guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"info_max_time": "xxxxxxxxxx.xxxxxxxxx",
"info_min_time": "xxxxxxxxxx.xxxxxxxxx",
"info_search_time": "xxxxxxxxxx.xxxxxxxxx",
"last_event": "2024-05-28 05:20:36 CDT",
"linecount": "1",
"orig_action_name": "notable",
"orig_rid": "1",
"orig_sid": "scheduler__nobody__SplunkEnterpriseSecuritySuite__RMDxxxxxxxxxxxxxxxx_at_xxxxxxxxxx_xxxxx",
"region": "Gauteng",
"rule_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"search_name": "Threat - External Authentication from Unexpected Location - Rule",
"source": "Threat - External Authentication from Unexpected Location - Rule",
"sourcetype": "stash",
"splunk_server": "idx20",
"src": "xxx.xxx.xxx.xxx",
"src_is_expected": "false",
"src_pci_domain": "untrust",
"src_requires_av": "false",
"src_should_timesync": "false",
"src_should_update": "false",
"tag": [
"modaction_result",
"success"
],
"tag::action": "success",
"tag::eventtype": "modaction_result",
"timestamp": "none",
"user": "xxxxxx.xxxxxx@xxxxxxx.xxx",
"user_watchlist": "false"
}