How to display new notable in the results in watch...

bobmccoy · ‎09-20-2023

I have the following search that works but I'm trying to display more information in the search results.

I have a watchlist lookup. I use that to search notable events so that I can alert on a user or asset that is part of a new notable. I'm trying to figure out how to display the new notable in the results.

gcusello · ‎09-21-2023

Hi @bobmccoy,

this surely is a very slow search, avoid to use join command, Splunk isn't a DB!

let me understand: you want all the notables for the users in the user_watchlist lookup, is it correct?

If tis is your requirement, you could try something like this:

index=notable [ | inputlookup user_watchlist WHERE _key=* | rename _key as user asset AS src | fields user src | dedup user asset ]
| where isnotnull(src)
| mvexpand src
| mvexpand user
| dedup src user
| eval user=mvindex(split(user,"@"),0)
| rename src as asset
| eval asset=lower(asset)

Ciao.

Giuseppe

How to display new notable in the results in watchlist lookup?

other

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...