Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Phantom to export Raw Logs

rsantoso_splunk
Splunk Employee
Splunk Employee
‎03-11-2019 12:35 PM

I am using App Version 2.5.23:

Go to the app and click on “new saved search Export” I have created the saved searches to call onto the app as shown below (I have created search with “table” ).

Search used is :

index=symantec vendor_action="Left alone" Disposition!="Good" | table _time,_raw,Computer_Name,file_hash,file_name,file_path,Risk_Name,Risk_Level,Disposition,user_email,Confidence,eventtype,dest_ip,Location,Occurrences | dedup Computer_Name,file_hash

But when I am trying to use auto extract and select _raw in the field its not being saved while other all fields from the “table command ” has been taken by the configuration.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsantoso_splunk
Splunk Employee
Splunk Employee
‎03-11-2019 12:35 PM

The _raw field is not being saved after submitting the save button. This is due to the _raw field is not part of the Phantom Common Event Format (CEF).

_raw field is intentionally not saved by design.

There is workaround by performing the following:
After extracting the _raw field, enter the CEF field as "message". This will put the _raw data into message field in Phantom.
This will allow you to save the _raw field. The _raw data will be in the message field in Phantom.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rsantoso_splunk
Splunk Employee
Splunk Employee
‎03-11-2019 12:35 PM

The _raw field is not being saved after submitting the save button. This is due to the _raw field is not part of the Phantom Common Event Format (CEF).

_raw field is intentionally not saved by design.

There is workaround by performing the following:
After extracting the _raw field, enter the CEF field as "message". This will put the _raw data into message field in Phantom.
This will allow you to save the _raw field. The _raw data will be in the message field in Phantom.

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top