topic Re: How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard in Splunk Enterprise Security

How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

laleger — Tue, 29 Sep 2020 14:21:17 GMT

I would like to create a dashboard that displays notable event titles as seen on the Incident Review dashboard. Is there an easy way to take the rule_title that is available via the "notable" macro and show token values?

For example, the rule_title from notable macro will show a value such as: "Bad thing by $src_ip$"

But the value I really want to show is: "Bad thing by 192.168.1.1"

I understand that Splunk is probably not storing the latter anywhere (at least not anywhere I can find), but how could I get Splunk to show the value of the token in the same field?

Re: How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

micahkemp — Wed, 31 May 2017 19:34:13 GMT

martin_mueller posted a way to do this using macros, but I used a custom search command to do variable replacement.

Oops, I meant to post this as a comment. This is certainly not an answer.

Re: How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

micahkemp — Wed, 31 May 2017 20:00:50 GMT

My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):

from splunklib.searchcommands import \
    dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template

class MyTemplate(Template):
    pattern = r'\$(?P<named>[^$]+)\$'

@Configuration(local=True)
class TemplateCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            for fieldname in self.fieldnames:
                template = MyTemplate(record[fieldname])
                substituted = template.safe_substitute(record)
                record[fieldname] = substituted
            yield record

dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)

The command would be run like this (I think):

<notable search> | template src_ip dest_ip <...>

Re: How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

laleger — Fri, 02 Jun 2017 18:04:23 GMT

I was hoping that I wouldn't have to go this route, but looks like this is definitely a possible solution. Do you recall the URL/title for the post from martin_mueller? I couldn't find it.

Re: How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

smeier — Wed, 07 Mar 2018 17:45:47 GMT

Researching this exact problem and stumbled upon something that may help future searchers..

expandtoken command, new for ES 5

http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Expandtoken