Triggers a workflow on every new event retrieved out of the search query. Note, do not use sorting in your search query.

Workflows based on this trigger will search for new events every 5 minutes.

Parameters

ParameterDescription
Ad Hoc Search LevelThe search level of the created search. For more information, refer to the Splunk Documentation.
Execution ModeIf set to normal, runs an asynchronous search. If set to blocking, returns the sid when the job is complete. If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml. Does not return the search ID.
SearchThe search query the created job will run.
Search ModeIf set to realtime, search runs over live data. A real-time search may also be indicated by earliest_time and latest_time variables starting with ‘rt’ even if the search_mode is set to normal or is unset. For a real-time search, if both earliest_time and latest_time are both exactly ‘rt’, the search represents all appropriate live data received since the start of the search.

Sample Event

{
	"_bkt": "notable~17~xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
	"_cd": "17:xxxxxxxx",
	"_eventtype_color": "none",
	"_indextime": "xxxxxxxxxx",
	"_raw": "xxxxxxxxxx, search_name=\"Threat - External Authentication from Unexpected Location - Rule\", action=\"success\", city=\"Kempton Park (Isando)\", country=\"South Africa\", event_source=\"AAD\", event_time=\"2024-05-28 05:18:55 CDT\", first_event=\"2024-05-28 05:18:55 CDT\", info_max_time=\"xxxxxxxxxx.xxxxxxxxx\", info_min_time=\"xxxxxxxxxx.xxxxxxxxx\", info_search_time=\"xxxxxxxxxx.xxxxxxxxx\", last_event=\"2024-05-28 05:20:36 CDT\", region=\"Gauteng\", src=\"xxx.xxx.xxx.xxx\", user=\"xxxxxx.xxxxxx@xxxxxxx.xxx\"",
	"_serial": "0",
	"_si": [
		"idx20",
		"notable"
	],
	"_sourcetype": "stash",
	"_time": "2024-05-28T06:00:13.000-05:00",
	"action": "success",
	"city": "Kempton Park (Isando)",
	"country": "South Africa",
	"event_hash": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"event_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"event_source": "AAD",
	"event_time": "2024-05-28 05:18:55 CDT",
	"eventtype": [
		"modnotable_results",
		"notable"
	],
	"first_event": "2024-05-28 05:18:55 CDT",
	"host": "sh04",
	"index": "notable",
	"indexer_guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
	"info_max_time": "xxxxxxxxxx.xxxxxxxxx",
	"info_min_time": "xxxxxxxxxx.xxxxxxxxx",
	"info_search_time": "xxxxxxxxxx.xxxxxxxxx",
	"last_event": "2024-05-28 05:20:36 CDT",
	"linecount": "1",
	"orig_action_name": "notable",
	"orig_rid": "1",
	"orig_sid": "scheduler__nobody__SplunkEnterpriseSecuritySuite__RMDxxxxxxxxxxxxxxxx_at_xxxxxxxxxx_xxxxx",
	"region": "Gauteng",
	"rule_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"search_name": "Threat - External Authentication from Unexpected Location - Rule",
	"source": "Threat - External Authentication from Unexpected Location - Rule",
	"sourcetype": "stash",
	"splunk_server": "idx20",
	"src": "xxx.xxx.xxx.xxx",
	"src_is_expected": "false",
	"src_pci_domain": "untrust",
	"src_requires_av": "false",
	"src_should_timesync": "false",
	"src_should_update": "false",
	"tag": [
		"modaction_result",
		"success"
	],
	"tag::action": "success",
	"tag::eventtype": "modaction_result",
	"timestamp": "none",
	"user": "xxxxxx.xxxxxx@xxxxxxx.xxx",
	"user_watchlist": "false"
}