- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the Incident Review dashboard > Actions is possible to Share Notable Events. To get the URL of the notable event a shortID is created on the fly. Could it be possible to automatically generate a shortID for each Notable Event?
I need the generated URL in the description field for our ticketing system. So analyst can go directly to ,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
In principle, all you'd need to do is append a matching row to the notable_xref_lookup
KV Store lookup.
I don't know if there are any pitfalls around doing that for every single notable though.
Note, you can build a direct URL based off the long-form event ID without generating a short ID. If it's just stored in a system somewhere and presented as a clickable link, the downside of an enormous string wouldn't be relevant. Make sure to also pass a reasonable time range in the URL, otherwise that search for an event ID might take ages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
In principle, all you'd need to do is append a matching row to the notable_xref_lookup
KV Store lookup.
I don't know if there are any pitfalls around doing that for every single notable though.
Note, you can build a direct URL based off the long-form event ID without generating a short ID. If it's just stored in a system somewhere and presented as a clickable link, the downside of an enormous string wouldn't be relevant. Make sure to also pass a reasonable time range in the URL, otherwise that search for an event ID might take ages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to do the same thing. However, I am new to Splunk and ES. Can someone tell me how to create an URL like the above?
Is it done via tokens?
Thanks so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Here's how you link back using the long-form event ID:
https://es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=1519430400&latest=151943...;
To create a short ID, you either insert a row to the notable_xref_lookup
yourself, or you POST to /servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/notable_xref
with the following parameters: event_id
, notable_time
, xref_id
, xref_label
, xref_name
, short_id
.
I wouldn't recommend that though, you'd be relying on undocumented unpublished interfaces that could change with any upgrade without notice. I'd go with the long-form URL unless you absolutely have to have a human-typeable or phone-transmittable ID.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Martin,
Your solution works, just keeping in mind that the earliest and latest fields have to be always present in the request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I couldn't build the ULR with the actual event ID pointing to the Incident Review Dashboard. There are few ways to accomplish this as far as I know:
- using the short ID as unique identifier of the notable event and create the get request with the association fields: Eg. https://a.b.c.d:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?**form.association_type...
- passing all form fields to query an specific notable event, with the earliest and latest fields in epoch format, and the the precision of the time is very important. Otherwise, you could get 2 or more events in between the given time period (earliest and latest) >>> I really don't like this option. Eg: https://a.b.c.d:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=1519399455&lat...
So, for option 1 a Short ID have to be created (via Create Short ID or Share Notable Event). I would like to know how to automatically generate the Short ID (not clicking on it)
Any suggestions are welcome..
thanks
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""