Splunk SOAR

Schedule/PreviewWindow configure on Splunk for Phantom App

rsantoso_splunk
Splunk Employee
Splunk Employee

[ Splunk deployment/architecture ]

Splunk Enterprise: 7.2.0 / Standalone / CentOS 7.4
Phantom App for Splunk:2.6.22 https://splunkbase.splunk.com/app/3411/
Phantom : v4.2

[ Background ]

We are testing Phantom App for Splunk to send the event from Splunk to Phantom. The roles of "Schedule" and "Preview Window" are unclear. Nothing is any description on the Splunkbase page. We were not able to understand the design of "Schedule" and "Preview Window" through our test. If our observation is true along the app design, it can affect the search result and the topology design. So, we would like to clarify what are expected actions in Phantom app.

[ Issue description ]

We configured Saved Search Export in Event Forwarding. Here are our observation from our test. As a result, we do not understand what is the right behavior of this app.
- When configuring Schedule: Every {n} Minutes, the saved search runs every {n} minutes.
- When configuring Schedule: Every {n} Minutes, the time range of the saved search is from {n}*2 minutes to the latest.
- When configuring Schedule: Real Time, several searches were created with various time range.
- "PreviewWindows" does not work even though we configured Every {n} Minute or Real Time on Schedule.

[ Questions ]

Q1. What do the following parameters configure?
- Schedule : Real Time
- Schedule : Every {n} Minutes
- PreviewWindow

Q2. What should we configure when we want to search for last 1 hour every 5 minutes?

Labels (2)
Tags (1)
0 Karma
1 Solution

rsantoso_splunk
Splunk Employee
Splunk Employee

The Schedule parameter and the Preview Window are two separate things.

The Schedule parameter is associated with the repeatable event forwarding. It is applied when you click “Save and Close”.
The Preview Window parameter is associated with the one time preview event forwarding. It is applied when you click “Save and Preview”.

The Schedule parameter and Preview window is not dependent one to the other.

The Schedule parameter has the recurring window where you can put “n” Minutes. The Time range is hard coded to “n*2”.
The Preview Window parameter has the one time preview window where you put 5 mins, 1 hour, 1 day, All Time. The Time range is the selected value (5 mins, 1 hour, 1 day, All Time) and when you click “Save and Preview”.

Now you can modify the Schedule parameter time range by clicking on the associated configuration with Edit Advance of the alert.
Under Edit Advance you will find the parameter dispatch.earliest_time. This value will be 2*n. You can modify this to other value and save it.

Please note that if you edit associated alert and make changes, say after you modify the dispatch.earliest_time, then you modify again the schedule time. Then, the value dispatch.earliest_time value is back to 2*n.

Thus, to configure the search for last 1 hour every 5 minutes:
In the Schedule Parameter enter 5 minutes.
Go to edit advance, change the parameter dispatch.earliest_time value from 10 minutes to 60 minutes.
The Preview Window has not affect for “save and close” button. Thus whatever value selected wouldn’t have any affect.

View solution in original post

0 Karma

rsantoso_splunk
Splunk Employee
Splunk Employee

The Schedule parameter and the Preview Window are two separate things.

The Schedule parameter is associated with the repeatable event forwarding. It is applied when you click “Save and Close”.
The Preview Window parameter is associated with the one time preview event forwarding. It is applied when you click “Save and Preview”.

The Schedule parameter and Preview window is not dependent one to the other.

The Schedule parameter has the recurring window where you can put “n” Minutes. The Time range is hard coded to “n*2”.
The Preview Window parameter has the one time preview window where you put 5 mins, 1 hour, 1 day, All Time. The Time range is the selected value (5 mins, 1 hour, 1 day, All Time) and when you click “Save and Preview”.

Now you can modify the Schedule parameter time range by clicking on the associated configuration with Edit Advance of the alert.
Under Edit Advance you will find the parameter dispatch.earliest_time. This value will be 2*n. You can modify this to other value and save it.

Please note that if you edit associated alert and make changes, say after you modify the dispatch.earliest_time, then you modify again the schedule time. Then, the value dispatch.earliest_time value is back to 2*n.

Thus, to configure the search for last 1 hour every 5 minutes:
In the Schedule Parameter enter 5 minutes.
Go to edit advance, change the parameter dispatch.earliest_time value from 10 minutes to 60 minutes.
The Preview Window has not affect for “save and close” button. Thus whatever value selected wouldn’t have any affect.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...