SPLUNK n8n INTEGRATION: AUTOMATE SPLUNK WITH N8N

The Create User action enables you to programmatically provision new user accounts in your Splunk instance directly from n8n workflows. This is particularly valuable for organizations managing user lifecycle through automated processes—when someone joins via your HR system or identity provider, a Splunk account can be created automatically without manual intervention.

Key parameters: Credential to connect with (required dropdown to select your configured Splunk account credentials for authentication), Name (required text field where you specify the username for the new Splunk account), Roles (selection field for assigning one or more roles to the user, determining their access permissions within Splunk), Password (required text field for setting the initial password for the new user account), Additional Fields (optional section allowing you to configure extra user properties beyond the core requirements).

Use cases: Automatically create Splunk accounts when new employees are added to Active Directory, provision analyst accounts when team members are assigned to security projects in your project management tool, or set up temporary accounts for auditors based on scheduled compliance reviews.

The Get User action retrieves detailed information about a specific user account from your Splunk instance. This proves invaluable for verification workflows, access audits, or when you need to pull user details before performing subsequent operations in your automation chain.

Key parameters: Credential to connect with (required dropdown for selecting the Splunk account to authenticate with), Resource (set to "User" to indicate this action operates on user entities), Operation (configured as "Get" to retrieve user information), User (required parameter offering selection via dropdown list or manual entry. Choose "From list" to pick from available users, or use "Fixed" mode to specify a user directly).

Use cases: Verify user existence before attempting updates, retrieve user role assignments for access review workflows, or pull user details to populate reports and dashboards tracking Splunk access across your organization.

When you need to retrieve multiple user accounts at once, the Get Many Users action delivers bulk user data efficiently. This action is essential for comprehensive user audits, syncing user lists with external systems, or generating user access reports.

Key parameters: Credential to connect with (required dropdown to select your Splunk account credentials), Resource (set to "User" for user-related operations), Operation (configured as "Get Many" to retrieve multiple records), Return All (optional toggle that, when enabled, fetches every user record regardless of the limit setting), Limit (optional number field specifying the maximum users to return when "Return All" is disabled; default: 50).

Use cases: Export your complete Splunk user list for compliance documentation, compare Splunk users against your identity provider to identify orphaned accounts, or build a dashboard showing all users and their assigned roles across your security infrastructure.

The Update User action allows you to modify existing user account properties programmatically. Whether you're adjusting roles after a promotion, updating contact information, or making bulk permission changes, this action handles user modifications within your automated workflows.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "User" to target user entities), Operation (configured as "Update" to modify existing records), User (required field to identify which user to update—select from a list or specify directly), Update Fields (section where you add and configure specific properties to modify. Initially empty; click "Add Field" to include attributes like roles, email, or default app).

Use cases: Automatically update user roles when their job function changes in your HR system like BambooHR, modify default app assignments based on department mappings, or implement scheduled role rotations for security-sensitive positions.

The Delete User action removes user accounts from your Splunk instance. This supports offboarding workflows, cleanup operations, and automated access revocation when employees leave or when temporary accounts expire.

Key parameters: Credential to connect with (required dropdown to select the Splunk credentials for authentication), Resource (set to "User" to operate on user entities), Operation (configured as "Delete" to remove the specified user), User (required parameter identifying the user to delete. Supports selection from a list or direct specification via fixed value or expression).

Use cases: Automatically revoke Splunk access when employees are marked as terminated in your HR system, clean up test accounts after development cycles, or implement scheduled deletion of temporary vendor accounts after their access period ends.

The Create Search action initiates a new search job in Splunk using your specified Search Processing Language (SPL) query. This forms the foundation for automated data extraction, scheduled analysis, and triggered investigations within your n8n workflows.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "Search" to create search job operations), Operation (configured as "Create" to initiate a new search), Query (required multi-line text field where you enter your SPL query, e.g., search index=_internal | stats count by source), Additional Fields (optional section for advanced search parameters like earliest/latest time bounds or search mode).

Use cases: Launch security investigations based on alerts from other systems, execute scheduled data extraction queries for reporting pipelines, or trigger ad-hoc searches based on webhook events from your monitoring infrastructure.

The Get Search Job action retrieves information about a specific search job, including its current status, progress, and metadata. This is crucial for workflows that need to monitor search completion before proceeding to result retrieval.

Key parameters: Credential to connect with (required dropdown to select your Splunk account credentials), Resource (set to "Search" for search-related operations), Operation (configured as "Get" to retrieve search job details), Search Job (required parameter to specify which search job to retrieve. Select from a list of active jobs or provide the search ID directly).

Use cases: Check search job status before attempting to retrieve results, monitor long-running searches in automated pipelines, or verify search completion as part of a multi-step data processing workflow.

The Get Many Search operation retrieves multiple search jobs at once, providing an overview of active, completed, or historical searches within your Splunk environment. This supports audit workflows and search management automation.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "Search" for search entity operations), Operation (configured as "Get Many" to retrieve multiple search records), Return All (optional toggle to fetch all available search jobs when enabled), Limit (optional number field; default: 50 specifying maximum results when "Return All" is disabled), Sort (optional parameter to define result ordering criteria).

Use cases: Generate reports of all searches run during a specific period for audit purposes, clean up stale search jobs by identifying old incomplete searches, or monitor search activity patterns across your Splunk deployment.

The Get Result action retrieves the actual output data from a completed Splunk search job. This is where you extract the insights—the events, statistics, or aggregations your search query produced—for processing in subsequent workflow steps.

Key parameters: Credential to connect with (required dropdown for selecting your Splunk credentials), Resource (set to "Search" for search operations), Operation (configured as "Get Result" to retrieve search output), Search Job (required parameter identifying which search job's results to fetch), Return All (optional toggle to retrieve all results regardless of limit), Limit (optional number field; default: 50 specifying maximum results when "Return All" is disabled), Filters (optional section for refining which results to return), Options (advanced configuration for additional API parameters).

Use cases: Extract security events for forwarding to incident management platforms, pull aggregated metrics for dashboard updates, or retrieve log data for compliance report generation.

The Delete Search Job action removes a search job and its associated results from your Splunk instance. This supports cleanup operations, resource management, and workflows that need to remove temporary searches after processing their results.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "Search" for search entity operations), Operation (configured as "Delete" to remove the specified search job), Search Job (required parameter specifying the search job to delete. Select from a list or provide the search ID directly).

Use cases: Clean up ad-hoc searches after extracting their results, implement automated retention policies for search artifacts, or remove failed search jobs as part of error handling routines.

The Get Report action retrieves detailed information about a specific saved report from your Splunk instance. This supports workflows that need to access report configurations, scheduling details, or metadata before performing additional operations.

Key parameters: Credential to connect with (required dropdown to select your Splunk credentials), Resource (set to "Report" for report-related operations), Operation (configured as "Get" to retrieve report information), Report (required parameter identifying the report to retrieve. Supports selection from a populated list or direct specification using fixed values or expressions).

Use cases: Verify report existence before attempting to execute or modify it, retrieve report configuration for documentation purposes, or pull report metadata as part of a compliance audit workflow.

The Get Many Reports action retrieves multiple saved reports from your Splunk instance at once. This enables comprehensive report auditing, inventory management, and bulk operations across your report library.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "Report" for report entity operations), Operation (configured as "Get Many" to retrieve multiple reports), Return All (optional toggle to fetch all available reports when enabled), Limit (optional number field; default: 50 specifying maximum reports when "Return All" is disabled), Options (section for additional query parameters like filtering or sorting criteria).

Use cases: Generate a complete inventory of all saved reports for governance reviews, identify reports that haven't been modified recently for cleanup, or synchronize report metadata with an external documentation system.

The Create From Search action transforms an existing Splunk search job into a saved report. This bridges ad-hoc analysis with persistent reporting—once you've crafted a valuable search, you can automatically save it as a reusable report.

Key parameters: Credential to connect with (required dropdown for selecting Splunk credentials), Resource (set to "Report" for report operations), Operation (configured as "Create From Search" to generate a report from an existing search), Search Job (required parameter specifying the search job to convert. Select from available jobs or provide the ID directly), Name (required text field for the new report's name).

Use cases: Automatically save valuable ad-hoc searches as reports for future reference, create standardized reports from templated search queries, or build a report library programmatically based on search patterns that prove useful.

The Delete Report action removes a saved report from your Splunk instance. This supports report lifecycle management, cleanup workflows, and automated maintenance of your report library.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "Report" for report entity operations), Operation (configured as "Delete" to remove the specified report), Report (required parameter identifying which report to delete. Supports selection from a list or direct specification).

Use cases: Remove outdated reports as part of scheduled maintenance, clean up test reports after development, or implement automated deprecation workflows for reports that haven't been accessed within a retention period.

The Get Fired Alerts action retrieves information about alerts that have recently triggered in your Splunk environment. This is critical for security automation—connecting Splunk's detection capabilities to your incident response workflows.

Key parameters: Credential to connect with (required dropdown to select your Splunk account credentials), Resource (set to "Alert" for alert-related operations), Operation (configured as "Get Fired Alerts" to retrieve triggered alerts).

Use cases: Forward fired alerts to incident management platforms like PagerDuty or Zendesk, create tickets automatically when critical alerts fire, send immediate Slack notifications to your security team, or aggregate alert data for weekly security summary reports.

The Get Metrics action retrieves statistical and performance metrics related to your Splunk alerts. This provides visibility into alert behavior patterns, firing frequencies, and overall alert health across your monitoring infrastructure.

Key parameters: Credential to connect with (required dropdown for Splunk account authentication), Resource (set to "Alert" for alert entity operations), Operation (configured as "Get Metrics" to retrieve alert statistics).

Use cases: Build dashboards tracking alert volumes over time using tools like Grafana, identify noisy alerts that fire excessively for tuning, generate weekly metrics reports for security leadership, or monitor alert health as part of your observability strategy.