Splunk Professional Services consultant working for JDS Australia (https://www.jds.net.au), in Sydney, Australia.
HunterKiller is a alert action that uses the Splunk REST API to manage search jobs. The alert action reads the list of SIDs in the search results and then sends the specified control command to each search job.
It's designed to fill the gaps where workload management can't reach
1 - Create a search that returns a list of SIDs that you want you manage. (| rest /services/search/jobs/ | search title=mysearchcritea) The search must return a field called sid
2 - Add the HunterKiller alert action
3 - Select the command you want to send to each job
4 - Save the alert
PS. The alert action only uses the 'sid', 'action' and 'argument' fields.
| rest /services/search/jobs/ returns many, many fields so use the fields or table commands to narrow down what fields are passed on to the alert action.
You can also specify the command and it's arguments within the search results. This allows each row to have a different command. Simply set a field called 'action' that contains a valid control command. Arguments for this command can be supplied by setting the 'argument' field.
A full list of commands can be found at https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D.2Fcontrol
Support is not guaranteed and will be provided on a best effort basis.
Raise an issue at https://github.com/brendancooper/Splunk-Search-HunterKiller or Send me an email.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.