arazzo: 1.0.1 info: title: Splunk Provision an Index and Attach a Monitor Input summary: Create an event index, verify it, then create a file monitor input that feeds it. description: >- A data-onboarding pattern. A new event index is created and read back to confirm its configuration, then a file or directory monitor input is created that ingests data into that index, and the monitor is read back to confirm it is wired up. Every step spells out its request inline so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: splunkApi url: ../openapi/splunk-enterprise-rest-api.yml type: openapi workflows: - workflowId: provision-index-and-monitor summary: Create an index, confirm it, attach a monitor input, and confirm the input. description: >- Creates a new event index, fetches it to verify, creates a monitor input targeting that index, and fetches the monitor input to confirm its configuration. inputs: type: object required: - indexName - monitorPath properties: indexName: type: string description: Name for the new index (e.g. "my_new_index"). maxTotalDataSizeMB: type: integer description: Maximum total size of the index in MB. frozenTimePeriodInSecs: type: integer description: Seconds until data is frozen out of the index. monitorPath: type: string description: The file or directory path to monitor (e.g. "/var/log/syslog"). sourcetype: type: string description: Source type to assign to data from the monitor input. steps: - stepId: createIndex description: >- Create a new event index with the supplied retention and size settings. operationId: createIndex parameters: - name: output_mode in: query value: json requestBody: contentType: application/x-www-form-urlencoded payload: name: $inputs.indexName datatype: event maxTotalDataSizeMB: $inputs.maxTotalDataSizeMB frozenTimePeriodInSecs: $inputs.frozenTimePeriodInSecs successCriteria: - condition: $statusCode == 201 outputs: name: $response.body#/name datatype: $response.body#/content/datatype - stepId: verifyIndex description: >- Fetch the newly created index to confirm it exists and read back its configuration. operationId: getIndex parameters: - name: name in: path value: $steps.createIndex.outputs.name - name: output_mode in: query value: json successCriteria: - condition: $statusCode == 200 outputs: maxTotalDataSizeMB: $response.body#/content/maxTotalDataSizeMB disabled: $response.body#/content/disabled - stepId: createMonitor description: >- Create a file or directory monitor input that ingests new data into the index just provisioned. operationId: createMonitorInput parameters: - name: output_mode in: query value: json requestBody: contentType: application/x-www-form-urlencoded payload: name: $inputs.monitorPath index: $steps.createIndex.outputs.name sourcetype: $inputs.sourcetype disabled: false successCriteria: - condition: $statusCode == 201 outputs: name: $response.body#/name - stepId: verifyMonitor description: >- Fetch the monitor input to confirm it is configured against the new index. operationId: getMonitorInput parameters: - name: name in: path value: $steps.createMonitor.outputs.name - name: output_mode in: query value: json successCriteria: - condition: $statusCode == 200 outputs: index: $response.body#/content/index sourcetype: $response.body#/content/sourcetype outputs: indexName: $steps.createIndex.outputs.name monitorName: $steps.createMonitor.outputs.name monitorIndex: $steps.verifyMonitor.outputs.index