Dashboards & Visualizations

How to display new notable in the results in watchlist lookup?

bobmccoy
Explorer

I have the following search that works but I'm trying to display more information in the search results. 

I have a watchlist lookup.  I use that to search notable events so that I can alert on a user or asset that is part of a new notable.    I'm trying to figure out how to display the new notable in the results. 

 

| inputlookup user_watchlist
| search _key=*
| rename _key as user
| table user asset
| dedup user asset
| eval flag="no"
| join type=left user asset
[ search index=notable
| where isnotnull(src)
| table src user _time
| mvexpand src
| mvexpand user
| dedup src user
| eval user=mvindex(split(user,"@"),0)
| eval flag="yes"
| rename src as asset
| eval asset=lower(asset)]
| where flag="yes"

 

 

Labels (1)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bobmccoy,

this surely is a very slow search, avoid to use join command, Splunk isn't a DB!

let me understand: you want all the notables for the users in the user_watchlist lookup, is it correct?

If tis is your requirement, you could try something like this:

index=notable [ | inputlookup user_watchlist WHERE _key=* | rename _key as user asset AS src | fields user src | dedup user asset ]
| where isnotnull(src)
| mvexpand src
| mvexpand user
| dedup src user
| eval user=mvindex(split(user,"@"),0)
| rename src as asset
| eval asset=lower(asset)

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...