My use case is for pulling account lockouts from Splunk into SquaredUp which is easy enough, but I then want to be able to query that information for further details based on a locked out username.
One thought it a SCOM task from the SquaredUp server that runs PowerShell to query Splunk’s API and use the ‘override paramaters’ option to insert the username - would this work, or is it even possible?
You just need to ensure you are viewing an object of the class the task targets.
Using the SCOM Task tile on a dashboard/perspective won’t let you override unfortunately.
We recently implemented tasks from the Alert list too, so building a monitor to query Splunk for locked accounts would allow you to do this from an alert list:
That being said, the table tile has a search box for external data, so pulling back the data the searching for a user should work? Example below from Log Analytics: