Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adaptive Response Variables

ericl42
Path Finder
‎10-18-2019 08:54 AM

Hello,

I utilize Adaptive Response quite a bit for automatically creating incident tickets and dumping all of the relevant data in there.

Overall this has worked out pretty well with help.get and pulling variables from the notable event that I created. The issue I'm running into is that I can only pull specific variables that I define in the notable event. I have a few use cases that I'd like to dump rows from the notable event or rows from a drill down search vs. just a basic variable.

Scenario One
How can I pull rows vs. just variables and make those rows a variable that I can put into a ticket? I know there is the helper.get_events() but it's a dictionary format I believe and I had some issues with making it a variable where I can paste the string into a ticket. As well as only doing X rows or rows with Y criteria.

Scenario Two
I want to pull rows down from the drill down search I have for the notable event. For this I assume I need to setup HEC or do some sort of Python search API call into Splunk and then pull that back into Adaptive Response and convert it to a string? Has anyone done that and could share their code?

I love the emails you get from a notable event that has the data in a column format. I want to be able to put that "pretty" data into my tickets.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎11-19-2019 03:24 AM

for scenario 1, as you pointed, we could use get_events(). Lets assume, your correlation search returns 2 results. So, in that case
events = helper.get_events()

for event in events:
     helper.log_info("myevent={}.format(event))

So, you can get both the results which you can iterate through and take the dictionary object and/or parse it to select the field you need from the event to sent to ticketing system

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎11-19-2019 03:24 AM

for scenario 1, as you pointed, we could use get_events(). Lets assume, your correlation search returns 2 results. So, in that case
events = helper.get_events()

for event in events:
     helper.log_info("myevent={}.format(event))

So, you can get both the results which you can iterate through and take the dictionary object and/or parse it to select the field you need from the event to sent to ticketing system
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...