Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I would like to create a Workflow action (using a POST link) using the rule_title field and cannot figure out how to expand the tokens in the field.

joelstucki
Engager
‎07-18-2018 11:04 AM

When constructing the post data from a Notable Event in Enterprise Security Incident Review dashboard as an event action, the $rule_title$ field is sent through with unexpanded tokens such as "$signature$ - IDS watchlist event for $src$" instead of the actual title. If instead I perform the same Workflow action from the results of a search for the notable event in the format "notable_by_id(xxx) |expandtoken" then the value is passed through as desired. So I can achieve what I want I suppose with two Workflow actions: first a search, then a POST link, but that seems silly. Is there any way to get the POST link action to expand the tokens from the dashboard without having to open the notable in a new search and pipe it to the expandtoken command?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

joelstucki
Engager
‎07-25-2018 01:21 PM

Well since no one has an answer I guess I will share my own solution. Seems after much experimentation the best solution I can offer is to end the correlation search with an eval statement and add the rule_title to a new field and expand it myself. This means I now have to have the text in two places and need to keep it in sync and I now need to go through and edit a whole bunch of correlation searches. This seems an obvious short coming in the tool, perhaps someone should fix it. Based on the example above I would add 

|eval ticket_title=signature." - IDS watchlist event for ".src

to the end of the search. Then in my workflow action I could add $ticket_title$ instead of $rule_title$ to the post command and I would get the expanded fields. This is stupid but it works and does not require an extra search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

joelstucki
Engager
‎07-25-2018 01:21 PM

Well since no one has an answer I guess I will share my own solution. Seems after much experimentation the best solution I can offer is to end the correlation search with an eval statement and add the rule_title to a new field and expand it myself. This means I now have to have the text in two places and need to keep it in sync and I now need to go through and edit a whole bunch of correlation searches. This seems an obvious short coming in the tool, perhaps someone should fix it. Based on the example above I would add 

|eval ticket_title=signature." - IDS watchlist event for ".src

to the end of the search. Then in my workflow action I could add $ticket_title$ instead of $rule_title$ to the post command and I would get the expanded fields. This is stupid but it works and does not require an extra search.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...