Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Make a Search Result Shareable

SOARt_of_Lost
Path Finder
‎10-22-2024 02:02 PM

With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in Splunk. Unfortunately, using the link returns "Permission Denied" because the SID hasn't actually been shared.

 

Does anyone know how to make the results of a search run by the Splunk app shareable?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SOARt_of_Lost
Path Finder
‎11-13-2024 12:46 PM

This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared. 

import urllib.parse

#This line won't change between different searches
base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q="

#This should be dynamically built with whatever you're searching for.
my_search = "index=* | stats count by index"

#This is optional, Splunk will use your default if you don't include it
#Times should be epoch format
time_range = f'&earliest={[start]}&latest={[end]}'

#Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL)
full_url = base_url + urllib.parse.quote(my_search) + time_range

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SOARt_of_Lost
Path Finder
‎11-13-2024 12:46 PM

This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared. 

import urllib.parse

#This line won't change between different searches
base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q="

#This should be dynamically built with whatever you're searching for.
my_search = "index=* | stats count by index"

#This is optional, Splunk will use your default if you don't include it
#Times should be epoch format
time_range = f'&earliest={[start]}&latest={[end]}'

#Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL)
full_url = base_url + urllib.parse.quote(my_search) + time_range

 

0 Karma
Reply
Solved! Jump to solution

dural_yyz
Motivator
‎10-23-2024 07:42 AM

I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is a trick to it and shouldn't be to hard to sort it out.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...