- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: How to Get Contributing events from a notable ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Get Contributing events from a notable event programatically
I want get contributing events for a particular notable event programatically.
Is there anyway that we can get from any splunk endpoint ?
i thought of a way by using drilldown search field in notable event and firing a search query ?
i see a field 'orig_sid' in notable event, any way that we can use this field and get
Any other ways that we can get contributing events for a notable event programatically ?
Any suggestions would really help me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The orig_sid should have encoded in it both the name of the search and the time the search ran. Based on that, you can use REST to pull up the search SPL and the cron of the search that ran, merge this with the time that it ran to re-run the same search over the same time window. There are 2 potential problems, though. New events that arrived late(r than the original search ran) might be present and match now that did not originally. Similarly, old events that were found originally may have aged/sized out of your indexers and not be found this time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the response
i guess you are saying to rerun the search with same time range that the original correlation search ran
there is a field 'drilldown_search' which has the search criteria, can it be used ?
<field k='drilldown_search'>
<value>
<text>| from datamodel:"Threat_Intelligence"."Threat_Activity" | search threat_match_field="$threat_match_field$" threat_match_value="$threat_match_value$"</text>
</value>
</field>
orig_sid field is below
<field k='orig_sid'>
<value>
<text>scheduler__admin_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD5ae7062088f029cdf_at_1558764000_9257</text>
</value>
</field>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good question, but I'm not sure you can link "A single contributing event" for your search, as it might happen due to multiple events. Hence even if we have a orig_sid, I'm not sure how can it link to an event.
Another trick you could do is, you could get the "drilldown search" programatically and then run it during the time. Is this OK with you? If yes, possibly can get it using REST endpoint of savedsearches .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the response
but drilldown search field has many escaped characters and it also has some values to be substituted like $threat_match_field$ , $threat_match_value$
<field k='drilldown_search'>
<value>
<text>| from datamodel:"Threat_Intelligence"."Threat_Activity" | search threat_match_field="$threat_match_field$" threat_match_value="$threat_match_value$"</text>
</value>
</field>
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
