Splunk: Search Logs
Description
Runs a Splunk REST search job with the SPL you provide, waits for the job to finish (up to 60 seconds), and returns up to the number of results you cap in Max Results. Use it to pull logs or events from Splunk while you investigate or automate around an incident.
If you use SRE Agent, Splunk is supported as a log source when the integration is configured for agent access. For prerequisites, enabling Allow SRE Agent Access on the Workflow Integration, and related guidance, see Agent Tooling Configuration.
Prerequisites
- A Splunk Enterprise or Splunk Cloud deployment with the REST API reachable from PagerDuty (management port is often 8089; your admin can confirm).
- A Splunk authentication token (or compatible credential your Splunk admin provides) with permission to run searches on the indexes you query.
- A saved Splunk connection in PagerDuty (Automation → Actions → create or select a connection with your Splunk base URL and token).
Instructions
Inputs
| Name | Description |
|---|---|
| Connection Input | The Splunk Workflow Integration connection (base URL and authentication token configured in PagerDuty). If you have not yet configured a Splunk integration, please see the Splunk Integration instructions. |
| Query | Your search in SPL. You may start with implicit search terms (for example index=main error), with an explicit search command, or with a leading pipeline (| inputlookup ...). The action may normalize the query when sending it to Splunk. |
| Max Results | Maximum number of events to return. Allowed range: 1–1000. Default: 100. The action enforces this limit when executing the search. |
Query and Time Range
The action does not inject a default time window. For predictable results, include time bounds in SPL when you need them, for example
earliest=-1horearliest=-24h@h latest=now. See Splunk's SPL documentation for syntax.
Outputs
| Name | Description |
|---|---|
| Logs | JSON array of log events returned by Splunk (empty array if the search fails or returns no rows). |
| Log Count | The number of events in Logs. |
| Query Used | The SPL string actually executed after any normalization and result limiting applied by the action. |
| Result | Value that shows if the action was successful or not. Either "Success" or "Failed." |
| Result Summary | Brief description of what the action did or if it failed. Example: "Successfully retrieved 42 logs." |
| Error | Brief description that is populated if the action failed. Example: "Failed to retrieve logs: Datasource not found." |
Behavior and limits
- The action creates a Splunk search job, polls until the job completes or about 60 seconds elapse, then fetches results. Very heavy searches may time out; narrow time range, simplify SPL, or reduce Max Results.
- Max Results caps how many events are returned for this step; tune it for responsiveness and downstream step size.
- If Splunk returns an authentication or permission error, verify the token, URL (including port), and that the identity can search the chosen indexes.
Updated about 4 hours ago