topic Re: _time passed to Workflow Search string not formatted in All Apps and Add-ons

_time passed to Workflow Search string not formatted

adalbor — Wed, 30 Sep 2020 03:57:20 GMT

Hey All,

I have a workflow action that passes a search string to an external app (ServiceNow) for incident creation. When I use the $_time$ token it uses epoch not the properly formatted time. I am unable to use an eval in the search string because the first command of the search string must be the ServiceNow parameter to call the script. Anyone have any suggestions how I could pass the properly formatted time?

This is what I have currently:

| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH"

If I try this before the snsecincident:
| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time
I receive an error that the snsecincident has to be the first command in the string.

Should I create a field alias for _time that is formatted properly and use that? If so how would I go about that?

Thanks!

Re: _time passed to Workflow Search string not formatted

13tsavage — Wed, 30 Sep 2020 03:58:26 GMT

Have you tried appending the results of your snsecincident search?

If you append the | eval _time part of your search at the end the append will run this 'subsearch' first.

So your search could look like this:

**
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "etc, blah"
| append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
**
And may help resolve your epoch time conversion to the format you desire.

Hope this helps!

Re: _time passed to Workflow Search string not formatted

adalbor — Wed, 30 Sep 2020 03:57:28 GMT

Just tried what you suggested but still a no-go 😞

What I have currently:
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]

Doesnt appear to run the append because the time field is blank on the resulting search page the workflow opens.

If I click on an event to spawn the incident creation I have the option checked to open the search command workflow in another window to see what it is passing.

After the change you suggested this is what the output is:
| snsecincident short_description "Blah Alert on xxxxxx at " category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]

When everything sorta works this is what that result looks like:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH"

Re: _time passed to Workflow Search string not formatted

13tsavage — Wed, 30 Sep 2020 03:58:32 GMT

Maybe remove the rename _time as Time and switch the token to grab$ _time$. If you are not getting any resulting time fields with the rest of the event then there may be something wrong with the token being grabbed and then you rename it.

So maybe try

**
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $_time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") ]
**

Re: _time passed to Workflow Search string not formatted

adalbor — Wed, 30 Sep 2020 03:57:33 GMT

That unfortunately didnt work either.

Output of search command:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") ]

Re: _time passed to Workflow Search string not formatted

13tsavage — Fri, 31 Jan 2020 14:30:15 GMT

I am working on this. I just got some mock data in epoch time I can try and replicate locally.

Re: _time passed to Workflow Search string not formatted

13tsavage — Wed, 30 Sep 2020 03:58:40 GMT

You may not even need the append to run the search. I just added the | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") to the end of my search and it formatted _time. I am not using a token format. Do you have to use $_time$ to execute the | snsecincident search?

Re: _time passed to Workflow Search string not formatted

adalbor — Fri, 31 Jan 2020 15:13:04 GMT

So the reason I have to use $_time$ is because I am passing that as a token to a third party app. Essentially the search command I am providing is the result of a workflow action built into TA-ServiceNow-SecOps. The search command on the backend (snsecincident) runs a script that connects to the ServiceNow Instance and creates a security incident based on the tokens in that search command.

Re: _time passed to Workflow Search string not formatted

13tsavage — Wed, 30 Sep 2020 03:58:45 GMT

Okay. Can you just try adding the | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") to the end of your search?

So your search would be

| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $_time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S.%3N")

Re: _time passed to Workflow Search string not formatted

adalbor — Wed, 30 Sep 2020 04:01:00 GMT

It definitely doesn't like having an extra command added to the end. Same results as before where it ignores that part of the search command

Output:
| snsecincident short_description "Fireeye HX Alert on xxxxxat 1579880575" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx" description "BLAH BLAH" eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S.%3N")

Re: _time passed to Workflow Search string not formatted

13tsavage — Fri, 31 Jan 2020 17:06:13 GMT

I wish I could help and try and replicate your environment. Keep trying, maybe see if you can | rex out the epoch time as a new field then eval that? Not sure what else I can suggest.

Hope you can figure it out!

13tsavage

Re: _time passed to Workflow Search string not formatted

adalbor — Fri, 31 Jan 2020 18:00:47 GMT

Thanks for all the time you devoted to helping!

Thanks!

Re: _time passed to Workflow Search string not formatted

adalbor — Mon, 03 Feb 2020 20:36:23 GMT

Does anyone know if its possible to create a field alias for _time with it properly formatted?

Re: _time passed to Workflow Search string not formatted

adalbor — Wed, 12 Feb 2020 18:25:42 GMT

Hey All,

We finally found a solution to this but it didn't exist within the output search command. We ended up modifying a couple of the python scripts within the ServiceNow Security Operations app to extract the _time based on a special character placed before the string then convert to ISO format then pass back to the function that sent it to the API. We were also able to insert line breaks into the data once it was placed in the Description field of ServiceNow using a similar method.