Dataflect-Documentation

This documentation is for Dataflect Search version 2.0.6. For older versions of Dataflect Search documentation contact us at support@dataflect.com.

For additional information, visit dataflect.com.

Table of Contents

  1. About Dataflect Search
  2. Dataflect Search License
  3. Dataflect Search Support
  4. Disclaimer
  5. Installation
  6. Dataflect Search Roles
    1. Adding Users to Dataflect Roles
  7. Configuring Dataflect Settings
    1. Enforce Allowed Domains?
  8. Configuring Dataflect Credentials
  9. Using Dataflect Search
    1. Basic Examples
    2. Syntax
    3. Required Arguments
    4. Optional Arguments
  10. Dataflect Search Query Builder Overview
  11. Using the Query Builder to Create a Custom Search Command
  12. Normalizing Dataflect Search Results with Props
    1. Field Aliases
    2. Field Extractions
  13. Dataflect Search Logging Overview
  14. Dataflect Search Monitoring Dashboard
  15. Dataflect Search Modifiers
  16. Dataflect Search Known Issues

About Dataflect Search

Go to Top

Dataflect Search is available as a free Splunk application that allows users to easily integrate with third-party APIs directly from the Splunk ecosystem. The free license currently allows for 150 searches per month. If you would like to purchase additional license you can do so by contacting sales@dataflect.com.

There are additional capabilities available with a premium version of Dataflect that allows for no-code enrichment of your logs in Splunk, and no-code splunk alert alert actions that interact with 3rd party APIs. If you are interested in a demo of these capabilities contact sales@dataflect.com.

Dataflect Search provides the following high level capabilities:

Dataflect Search License

Go to Top

To obtain your free Dataflect Search license contact us directly at sales@dataflect.com. The free Dataflect Search license is limited to 150 searches per month. If you need additional capacity reach out to sales@dataflect.com for a paid license.

Dataflect Search Support

Go to Top

Dataflect Search with a free license is a developer supported Splunkbase application. If you encounter issues using the application please contact support@dataflect.com for assistance.

Disclaimer

Go to Top

Dataflect Search is in no way associated with Splunk, Inc. or any of its affiliates. Dataflect Search is a third party developed and maintained Splunk Application.

Dataflect Search Copyright (C) 2025 Dataflect LLC All Rights Reserved.

This software is provided by the copyright holder “as is” and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the copyright owner be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

You may not modify, distribute, sublicense, or sell this program or derivative works based upon it. The user is not allowed to distribute the software and must use it only for personal, non-commercial purposes. Use for any other purpose is expressly forbidden, and may result in severe civil and criminal penalties.


Installation

Go to Top

Dataflect Search can be installed in Splunk Cloud environments and should be installed directly from Splunkbase via self-service install or with the help of Splunk Support. Dataflect Search with a free license is not supported in Splunk Enterprise (on-premise) environments.


Dataflect Search Roles

Go to Top

Dataflect Search uses the standard access control system integrated with the Splunk platform. Dataflect allows for strict Role Based Access Control by restricting functionality and interaction with third party APIs on a per domain basis.

In order to facilitate this, Dataflect leverages the following existing splunk roles:

Role Description
admin/sc_admin Installs and configures the Dataflect app within your Splunk deployment. Users must be assigned this role in order to manage Dataflect settings, configure allowed domains, and manage custom commands created with Dataflect Search. Users with this role will have visibility into the Monitoring dashboard. Can execute the dfsearch command.
power Can execute the dfsearch command.

Adding users to Dataflect roles

Go to Top

After installation Dataflect must be configured by a Splunk user with the admin or sc_admin role.

Configuring Dataflect Settings

Go to Top

Users with admin or sc_admin roles will have visibility into the Settings page (Configure –> Settings) within the Dataflect application. The settings that can be configured are:

Enforce allowed domains?

Go to Top

The Allowed Domains list allows an administrator to provide granular permissions to interact with an API. Using this list you can configure per domain permissions:

Configure License

Go to Top

Once you have obtained your license from Dataflect, you must enter your license key in the Dataflect Settings page by clicking “Edit” next to License Key and entering your base64 encodced license. Your text should include the header and footer (—–BEGIN LICENSE FILE—– and —– END LICENSE FILE—–). If you experience any issues contact support@dataflect.com.

Your license can only be used on one Splunk Cloud instance.

Configuring Dataflect Credentials

Go to Top

On the Credentials page (Configure –> Credentials) an administrator can create API credentials that can be used to authenticate Datflect Search commands. When creating credentials you may choose from the following supported types:

Credentials are stored securely using Splunk’s native Secrets Storage.

Additional forms of authentication can be configured with a paid Dataflect Search license, contact sales@dataflect.com for additional information.

Using Dataflect Search

Go to Top

Dataflect Search’s core functionality is made accessible primarily via a custom search command that ship with the application.

**NOTE: the dfsearch command can only be run from the Dataflect Search app. If you want to extend the capability outside of the app you must create custom search commands using the Query Builder Dashboard, and then set the sharing to Global in the Configure –> Commands Page.

Basic Examples

Go to Top

| dfsearch url="https://uselessfacts.jsph.pl/api/v2/facts/today"

The above example demonstrates basic usage of the dfsearch command, without any additional parameters specified.

Syntax

Go to Top

Simple:

dfsearch url=”<url>”

Complete:

Required syntax is in bold.

| dfsearch
[url=<string>]
[endpoint=<string>]
[parameters=<string>]
[credential=<string>]
[containing_field=<string>]
[timestamp_field=<string>]
[timestmp_strf=<string>]
[limit=<int>]
[data=<string>]
[data_format=<string>]
[headers=<string>]
[rate_limit_calls=<int>]
[rate_limit_period=<int>]
[offset_field=<string>]
[text_line_breaker=<string>]
[text_line_ignore=<string>]
[text_line_headers=<string>]
[ingest=<bool>]
[ingest_index=<string>]
[ingest_sourcetype=<string>]
[include_fields=<string>]
[convert_table_array=<bool>]
[timeout=<int>]

Required arguments

Go to Top

url

Optional arguments

Go to Top

endpoint

parameters

credential

containing_field

timestamp_field

timestamp_strf

limit

data

data_format

headers

rate_limit_calls

rate_limit_period

offset_field

text_line_breaker

text_line_ignore

text_line_headers

ingest

ingest_index

ingest_sourcetype

include_fields

convert_table_array

timeout

Dataflect Search Query Builder Overview

Go to Top

Dataflect Search ships with a Query Builder view that makes it easy for users to interact with the dfsearch command. Users can access the Query Builder dashboard by navigating to the Dataflect Search Application and selecting Query Builder. The same options are available which are discussed in this documentation for the dfsearch command.

Using the Query Builder to Create a Custom Search Command

Go to Top

Once a user has executed a search using the Query Builder, the option to “Create Custom Search Command” appears at the top of the page. Click the link to expand this option.

The expanded section includes the underlying query that has been executed. From here a user can enter an “Custom Search Command Name Name” in the text box under the search and click “Create” to create a custom search command that will execute the underlying search.

Users have the option to enter parameters within the search query using the format $token$. Tokens must be set when the custom search command is executed using the “parameters”.

Update permissions as necessary by navigating to Dataflect Search –> Configure –> Commands

Normalizing Dataflect Search Results with Props

Dataflect Search results can be normalized using the default Splunk props.conf configurations, with some key caveats.

Field Aliases

Go to Top

To create a field alias, you will navigate in Splunk Web to Settings –> Fields –> Field aliases.

Field Extractions

Go to Top

To create a field extraction, you will navigate in Splunk Web to Settings –> Fields –> Field extractions.

Dataflect Search Logging Overview

Go to Top

Each of the Dataflect commands are logged to Splunk’s _internal index. These logs can be found by searching:

index=_internal source=*dataflect.log

Dataflect logs the user executing each command, as well as information regarding which APIs they are communicating with, the number of calls they are making, and the volume of data that is being sent out of Splunk (egress) and returned back to Splunk (ingress).

Dataflect Search Monitoring Dashboard

Go to Top

To simplify monitoring, Dataflect provides a Monitoring Dashboard which provides some key metrics. To access the Monitoring Dashboard, navigate to the Dataflect Application, and select Monitoring from the navigation menu.

From within the dashboard you can filter based on time, command and/or the domain being communicated with.

The following modifiers can be used with any Dataflect custom search command:

Dataflect Search Modifiers

Go to Top

Dataflect Search Known Issues

Go to Top