Splunk Enterprise Security

Alert Trigger send token to Drill Down

willadams
Contributor

I am using Enterprise Security and most of our searches are correlation searches. One of my searches is not able to be done in a correlation search so I have resorted to just an alert which then sends a notable event to ES (this is because I need a per event trigger which correlation doesn't let me do). The alert works and gives me the details I want in ES (basic info such as user details). However I would like a drill down search to open something like a table view with additional information. The problem is that I can't seem to find a way to add the token from the notable event to the drill down. For example my search is

index=foo sourcetype=goo
| bin _time span=5m
| stats count by user src

The alert is configured as

Alert Type = real-time
Trigger Alert when "per-result"
Suppression = 8 hours based on user field
Trigger action ==> when triggered - Notable

The notable trigger event can't be edited.

I then went into the advanced edit options of this alert and configured a drill down to be as follows (note $user$)

index=foo sourcetype=goo $user$
| bin _time span=5m
| stats count by user src
| where count > 10
| table src user count

I thought this may be because I am passing the wrong token, so I edited the code as follows (note $result.user) but still no go

index=foo sourcetype=goo $result.user$
| bin _time span=5m
| stats count by user src
| where count > 10
| table src user count

Is there a way this can be done? Do I need to maybe in code generate the token to then be used (i.e. like a dashboard "set token"?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...