Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Reports to lookups

infinit3i
New Member
‎12-14-2024 09:04 AM

am trying to get all 500 reports into a csv so I can utilize them as a lookup so the rules that are created can have better uniformity and more scalability and control. I am currently looking into sub searches and Automatic look ups. Do you know would be the best to move a query like

`indextime` `sysmon` <SEARCH>

| eval hash_sha256= lower(hash_sha256),

hunting_trigger="",

mitre_category="Defense_Evasion",

mitre_technique="Obfuscated Files or Information",

mitre_technique_id="T1027",

mitre_subtechnique="", 

mitre_subtechnique_id="",

apt="",

mitre_link="https://attack.mitre.org/techniques/T1027/",

creator="",

upload_date="FIRSTDATE",

last_modify_date="CURRENTDATE",

mitre_version="v16",

priority=""

| `process_create_whitelist` 

| eval indextime = _indextime 

| convert ctime(indextime) 

| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority

| collect `the_new_index`

 

I'm trying to have a csv with all of the evals as columns and if a field hits in the search_field it will populate the data the same as all of our reports but for only one lookup.

0 Karma
Reply

dural_yyz
Motivator
‎12-18-2024 07:47 AM

I'm not 100% sure what you are looking for, some of your sample search is hidden behind macros making it harder for me to decipher.  Can you provide the raw search and sampling of expected outcomes?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...