The output is the poll results that Splunk runs on every interval to populate its index. The script gets a token and renews it as necessary. It then polls the /activities endpoint on intervals that persist the last successful interval to a file so that each subsequent run begins where the last run finished.

The script handles renewal of expired tokens (for example, if the run takes more than an hour) and follows the cursor for paginated results. Intervals that did not finish to completion will not be marked as finished and will be retried on subsequent runs.

You can modify the script to meet the needs of your Splunk architecture. Optionally, you can wrap the script in Python, which can be easier for Splunk to consume.

You can find the script here:

  1. Give the files read/write/exec permissions that are appropriate for your Splunk user. You might also need to set up the appropriate permissions to read/write/exec from the directory in which you saved the script.
  2. The script writes to and reads from the disk, so ensure that Splunk has access.
  3. Update the path to STATUS_FILE in poll_activities.js to match the directory in which you placed your script, and same for the if you chose to use it.
  4. Update the ENV_ID, CLIENT_ID, and CLIENT_SECRET in poll_activities.js to match your environment and your application's credentials.