Splunk Enterprise Security

Performaing a secondary search based on the results of the conditional base search when creating custom Dashboards.

hexerino
Explorer

I have a drop-down menu with all of the rule names that appear in the events. Some of those have been mapped in a lookup table and tailored to the needs of the company. For the others, I would need to display different information.

The base search is as follows (search id:base_search):

index=epo detection_method="Exploit Prevention" | eval filter_exists=if( 
 [| inputlookup defined_filters.csv | eval search="threat_name==\"".threat_name."\""
 | stats count by threat_name, | sort 0 - count
 | table threat_name], 
"True", "False" ) | table threat_name, filter_exists

Please note that the True and False were just tests to make sure that I get what I expect to receive, which I do.

What I want to do next, is for the events that return a True value, perform a certain secondary search passing the threat_name to it because it needs the threat_name to process further.
This is an example of my secondary search if the first one returns true (search id:defined_filter):

| makeresults 
| eval 
    [| inputlookup defined_filters.csv 
    | eval search="threat_name==\"".threat_name."\"" . if(isnull(where_eval), "", " and not (" . where_eval . ")") 
    | stats values(search) as search 
    | eval search="(" . mvjoin(search, ") or (") . ")" 
    | eval search=replace(replace(search, "\\\\", "\\\\\\\\"), "\"", "\\\"") 
    | return search]
| map maxsearches=1 search="search index=epo detection_method=\"Exploit Prevention\" threat_name=\"$threat_name$\" | where `map_workaround($$search$$)`"

For those that return false I need another secondary search. I guess I'm stuck at how to either nest or call the secondary search based on the results of the base_search and pass it the threat_name so I can create panels based on the results of each case.

0 Karma
1 Solution

hexerino
Explorer

It appeared my approach was faulty and I was able to solve it by adding an eval conditional if-statement to the secondary search. This effectively solved the need for alternate searches.

View solution in original post

0 Karma

hexerino
Explorer

It appeared my approach was faulty and I was able to solve it by adding an eval conditional if-statement to the secondary search. This effectively solved the need for alternate searches.

View solution in original post

0 Karma