Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Programatically setting severity within a search

iisaphd
Engager
‎10-16-2013 01:11 PM

I am writing a search that will track when the firewall sees outbound traffic over non-standard ports. I have a requirement that states if the destination ip is a known malicious domain, then the severity should be critical. Otherwise, it will be medium. I can certainly accomplish this by writing two searches (one for malicious domains, one for non-malicious domains), but was wondering if I could do it within one search.

Tags (3)
0 Karma
Reply
Highlighted

Re: Programatically setting severity within a search

lukejadamec
Super Champion
‎10-16-2013 01:46 PM

You should look at the append or join command.
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Append

or

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Join

Another option would be to provide cleaned but representative search results that you want to combine.

0 Karma
Reply
Highlighted

Re: Programatically setting severity within a search

sheamus69
Communicator
‎07-12-2016 06:38 AM

I think you can manually set the severity field from within the correlation search (field name is "severity"). I would approach this by performing your lookup for known malicious domains and if true then set the severity to critical.

Something like might work:

...|lookup nastyiplist ip OUTPUT ip as nastyip|eval severity=if(len(nastyip)>0,"critical","medium")|...

0 Karma
Reply