Splunk Enterprise Security

How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

laleger
Explorer

I would like to create a dashboard that displays notable event titles as seen on the Incident Review dashboard. Is there an easy way to take the rule_title that is available via the "notable" macro and show token values?

For example, the rule_title from notable macro will show a value such as: "Bad thing by $src_ip$"

But the value I really want to show is: "Bad thing by 192.168.1.1"

I understand that Splunk is probably not storing the latter anywhere (at least not anywhere I can find), but how could I get Splunk to show the value of the token in the same field?

1 Solution

micahkemp
Champion

My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):

from splunklib.searchcommands import \
    dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template

class MyTemplate(Template):
    pattern = r'\$(?P<named>[^$]+)\$'

@Configuration(local=True)
class TemplateCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            for fieldname in self.fieldnames:
                template = MyTemplate(record[fieldname])
                substituted = template.safe_substitute(record)
                record[fieldname] = substituted
            yield record

dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)

The command would be run like this (I think):

<notable search> | template src_ip dest_ip <...>

View solution in original post

micahkemp
Champion

My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):

from splunklib.searchcommands import \
    dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template

class MyTemplate(Template):
    pattern = r'\$(?P<named>[^$]+)\$'

@Configuration(local=True)
class TemplateCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            for fieldname in self.fieldnames:
                template = MyTemplate(record[fieldname])
                substituted = template.safe_substitute(record)
                record[fieldname] = substituted
            yield record

dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)

The command would be run like this (I think):

<notable search> | template src_ip dest_ip <...>

smeier
Path Finder

Researching this exact problem and stumbled upon something that may help future searchers..

expandtoken command, new for ES 5

http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Expandtoken

laleger
Explorer

I was hoping that I wouldn't have to go this route, but looks like this is definitely a possible solution. Do you recall the URL/title for the post from martin_mueller? I couldn't find it.

0 Karma

micahkemp
Champion

martin_mueller posted a way to do this using macros, but I used a custom search command to do variable replacement.

Oops, I meant to post this as a comment. This is certainly not an answer.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...