Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: How to get (or generate) Splunk ES notable eve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to create a dashboard that displays notable event titles as seen on the Incident Review dashboard. Is there an easy way to take the rule_title that is available via the "notable" macro and show token values?
For example, the rule_title from notable macro will show a value such as: "Bad thing by $src_ip$"
But the value I really want to show is: "Bad thing by 192.168.1.1"
I understand that Splunk is probably not storing the latter anywhere (at least not anywhere I can find), but how could I get Splunk to show the value of the token in the same field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):
from splunklib.searchcommands import \
dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template
class MyTemplate(Template):
pattern = r'\$(?P<named>[^$]+)\$'
@Configuration(local=True)
class TemplateCommand(StreamingCommand):
def stream(self, records):
for record in records:
for fieldname in self.fieldnames:
template = MyTemplate(record[fieldname])
substituted = template.safe_substitute(record)
record[fieldname] = substituted
yield record
dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)
The command would be run like this (I think):
<notable search> | template src_ip dest_ip <...>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):
from splunklib.searchcommands import \
dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template
class MyTemplate(Template):
pattern = r'\$(?P<named>[^$]+)\$'
@Configuration(local=True)
class TemplateCommand(StreamingCommand):
def stream(self, records):
for record in records:
for fieldname in self.fieldnames:
template = MyTemplate(record[fieldname])
substituted = template.safe_substitute(record)
record[fieldname] = substituted
yield record
dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)
The command would be run like this (I think):
<notable search> | template src_ip dest_ip <...>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Researching this exact problem and stumbled upon something that may help future searchers..
expandtoken command, new for ES 5
http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Expandtoken
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was hoping that I wouldn't have to go this route, but looks like this is definitely a possible solution. Do you recall the URL/title for the post from martin_mueller? I couldn't find it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin_mueller posted a way to do this using macros, but I used a custom search command to do variable replacement.
Oops, I meant to post this as a comment. This is certainly not an answer.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
