Solved: How to have an Alert Generate A Secondary Event wi...

tr_newman · ‎09-20-2023

We currently have an alert set up that generates a ticket in our ticketing platform. We are currently moving to a new ticketing platform and have utilized collect to collect the event and put it in a new index for that ticketing platform to pull data from.

Is there a way to rename fields of the event that is collected, but not change the field names for the current alert? We have to have different field names for the new ticketing system to map correctly. My only idea right now is either duplicate the alert and have them run in parallel, or when the ticketing system queries splunk for new events, to have that query contain a search macro that does the renaming before the events are ingested,

ITWhisperer · ‎09-21-2023

You could put your collect in an appendpipe in your alert search, something like this

<your search>
| appendpipe
  [| rename x as y
   | table y
   | collect index=other
   | where false()]
| fields - y

View solution in original post

ITWhisperer · ‎09-21-2023

You could put your collect in an appendpipe in your alert search, something like this

<your search>
| appendpipe
  [| rename x as y
   | table y
   | collect index=other
   | where false()]
| fields - y

tr_newman · ‎09-21-2023

So to make sure I understand what's happening, we are modifying information in a separate summary, then using table to reveal that information, collecting that info. Once we break out of the appendpip, we then display the original fields.

If you don't mind me asking, what is the where false() for?

ITWhisperer · ‎09-21-2023

Almost - the table is to restrict the fields to just those you want in the summary index. The where false() is to remove the events that you have added to the summary index, otherwise you will effectively double the events you have returned by the search. The first half being the original events, and the second half being the events with the renamed fields.

Consider this

<your search>
| appendpipe
  []

This duplicates all your events!

tr_newman · ‎10-17-2023

You're awesome. But now I have a conundrum. The analysts do not like the fact that we added the collection at the end of the alert because now when they go to the splunk link they have accidentally kicked off more tickets because they didn't remove the collection before making modifications to the search to investigate an alert. Now I'm trying to figure out how I can collect, and rename fields, while also not impacting their search 😕

gcusello · ‎09-20-2023

Hi @tr_newman,

why don't you use two different alerts, one for each system with its own field names?

Ciao.

Giuseppe

dmacintosh_splu · ‎09-20-2023

What ticketing system are you using? Are you trying to avoid modifying the saved search for the alert?

How to have an Alert Generate A Secondary Event with Different Field Names?

fields

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...