Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Reports to lookups

infinit3i
New Member
‎12-14-2024 09:04 AM

am trying to get all 500 reports into a csv so I can utilize them as a lookup so the rules that are created can have better uniformity and more scalability and control. I am currently looking into sub searches and Automatic look ups. Do you know would be the best to move a query like

`indextime` `sysmon` <SEARCH>

| eval hash_sha256= lower(hash_sha256),

hunting_trigger="",

mitre_category="Defense_Evasion",

mitre_technique="Obfuscated Files or Information",

mitre_technique_id="T1027",

mitre_subtechnique="", 

mitre_subtechnique_id="",

apt="",

mitre_link="https://attack.mitre.org/techniques/T1027/",

creator="",

upload_date="FIRSTDATE",

last_modify_date="CURRENTDATE",

mitre_version="v16",

priority=""

| `process_create_whitelist` 

| eval indextime = _indextime 

| convert ctime(indextime) 

| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority

| collect `the_new_index`

 

I'm trying to have a csv with all of the evals as columns and if a field hits in the search_field it will populate the data the same as all of our reports but for only one lookup.

0 Karma
Reply

dural_yyz
Motivator
‎12-18-2024 07:47 AM

I'm not 100% sure what you are looking for, some of your sample search is hidden behind macros making it harder for me to decipher.  Can you provide the raw search and sampling of expected outcomes?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...