- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Adaptive Response Variables
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I utilize Adaptive Response quite a bit for automatically creating incident tickets and dumping all of the relevant data in there.
Overall this has worked out pretty well with help.get and pulling variables from the notable event that I created. The issue I'm running into is that I can only pull specific variables that I define in the notable event. I have a few use cases that I'd like to dump rows from the notable event or rows from a drill down search vs. just a basic variable.
Scenario One
How can I pull rows vs. just variables and make those rows a variable that I can put into a ticket? I know there is the helper.get_events() but it's a dictionary format I believe and I had some issues with making it a variable where I can paste the string into a ticket. As well as only doing X rows or rows with Y criteria.
Scenario Two
I want to pull rows down from the drill down search I have for the notable event. For this I assume I need to setup HEC or do some sort of Python search API call into Splunk and then pull that back into Adaptive Response and convert it to a string? Has anyone done that and could share their code?
I love the emails you get from a notable event that has the data in a column format. I want to be able to put that "pretty" data into my tickets.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for scenario 1, as you pointed, we could use get_events(). Lets assume, your correlation search returns 2 results. So, in that case
events = helper.get_events()
for event in events:
helper.log_info("myevent={}.format(event))
So, you can get both the results which you can iterate through and take the dictionary object and/or parse it to select the field you need from the event to sent to ticketing system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for scenario 1, as you pointed, we could use get_events(). Lets assume, your correlation search returns 2 results. So, in that case
events = helper.get_events()
for event in events:
helper.log_info("myevent={}.format(event))
So, you can get both the results which you can iterate through and take the dictionary object and/or parse it to select the field you need from the event to sent to ticketing system
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
