Re: Is it possible to display the search condition...

tjmurphyjr · ‎10-15-2019

If I have a single alert search with multiple conditions that looks something like this:

index=X condition1 OR condition2 OR (condition3 AND subcondition1) OR condition4 OR condition5 OR (condition6 AND subcondition2)

Is there a way to display the actual conditional statement that was met without creating a separate alert for each condition?

In other words, does Splunk set some internal variable that holds the triggered condition (for example - "(condition3 AND subcondition1)") that is accessible to display in an email or notable event?

jacobpevans · ‎10-15-2019

Greetings @tjmurphyjr,

Try doing it yourself. I highly doubt anything like that exists in Splunk.

| eval Matched_Conditions = "",
       Matched_Conditions = if ( condition1 , Matched_Conditions . "condition1", 'Matched_Conditions' ),
       Matched_Conditions = if ( condition2 , Matched_Conditions . "condition2", 'Matched_Conditions' ),
       Matched_Conditions = if ( condition3 AND subcondition1 , Matched_Conditions . "condition3 AND subcondition1", 'Matched_Conditions' ),
       Matched_Conditions = if ( condition4 , Matched_Conditions . "condition4", 'Matched_Conditions' ),
       Matched_Conditions = if ( condition5 , Matched_Conditions . "condition5", 'Matched_Conditions' ),
       Matched_Conditions = if ( condition6 AND subcondition2 , Matched_Conditions . "condition6 AND subcondition2", 'Matched_Conditions' ),

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

tjmurphyjr · ‎10-15-2019

Thanks @jacobpevans! Being a rookie at this I'm not sure how this would be applied to the alert search so that it actually fires. Would the "eval" act as the conditional statement that once met would then trigger the actions when true?

index=x |eval eval Matched_Conditions = "",
Matched_Conditions = if ( condition1...etc

| fields source, eventID, eventTime, Matched_Conditions
etc?

jacobpevans · ‎10-16-2019

You are correct. Your full search would look like this:

index=X
condition1 OR
condition2 OR
(condition3 AND subcondition1) OR 
condition4 OR
condition5 OR
(condition6 AND subcondition2)
| eval Matched_Conditions = "",
        Matched_Conditions = if ( condition1 , Matched_Conditions . "condition1, ", 'Matched_Conditions' ),
        Matched_Conditions = if ( condition2 , Matched_Conditions . "condition2, ", 'Matched_Conditions' ),
        Matched_Conditions = if ( condition3 AND subcondition1 , Matched_Conditions . "condition3 AND subcondition1, ", 'Matched_Conditions' ),
        Matched_Conditions = if ( condition4 , Matched_Conditions . "condition4, ", 'Matched_Conditions' ),
        Matched_Conditions = if ( condition5 , Matched_Conditions . "condition5", 'Matched_Conditions' ),
        Matched_Conditions = if ( condition6 AND subcondition2 , Matched_Conditions . "condition6 AND subcondition2, ", 'Matched_Conditions' ),
| fields source, eventID, eventTime, Matched_Conditions

The only thing that the eval I provided would do is to generate a new field called "Matched_Conditions" which would show each condition from your base search that matched.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Is it possible to display the search condition that was met?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Is it possible to display the search condition that was met?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?