Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Reports to lookups

infinit3i
New Member
‎12-14-2024 09:04 AM

am trying to get all 500 reports into a csv so I can utilize them as a lookup so the rules that are created can have better uniformity and more scalability and control. I am currently looking into sub searches and Automatic look ups. Do you know would be the best to move a query like

`indextime` `sysmon` <SEARCH>

| eval hash_sha256= lower(hash_sha256),

hunting_trigger="",

mitre_category="Defense_Evasion",

mitre_technique="Obfuscated Files or Information",

mitre_technique_id="T1027",

mitre_subtechnique="", 

mitre_subtechnique_id="",

apt="",

mitre_link="https://attack.mitre.org/techniques/T1027/",

creator="",

upload_date="FIRSTDATE",

last_modify_date="CURRENTDATE",

mitre_version="v16",

priority=""

| `process_create_whitelist` 

| eval indextime = _indextime 

| convert ctime(indextime) 

| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority

| collect `the_new_index`

 

I'm trying to have a csv with all of the evals as columns and if a field hits in the search_field it will populate the data the same as all of our reports but for only one lookup.

0 Karma
Reply

dural_yyz
Motivator
‎12-18-2024 07:47 AM

I'm not 100% sure what you are looking for, some of your sample search is hidden behind macros making it harder for me to decipher.  Can you provide the raw search and sampling of expected outcomes?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...