Parsing data from a search result to alert on

Groedel99 · ‎06-22-2020

I am using this search in Splunk,

index=voice sourcetype=voice_cvp source="*ActivityLog*" host="omatelstgcvp4" ",ForbExt_Accept," | table_raw

, that results in the following

10.217.108.151.1592834757078.388.F,06/22/2020 09:06:22.240,set_COVIDForbExtAccept,custom,ForbExt_accept,978362,4024754759,

and I would like to be able to have it only display ForbExt_accept,978362,4024754759, to use to send an alert w/this data in a csv file

richgalloway · ‎06-22-2020

There are several ways to do that, depending on what fields are extracted from the event. If you don't have any extracted fields, are you running the search in Verbose Mode?

---
If this reply helps you, Karma would be appreciated.

Groedel99 · ‎06-22-2020

The search was set for Smart Mode. switching to Verbose mode results in the same data return.

richgalloway · ‎06-22-2020

There was one question mark in my reply, but two questions. You answered one, but not the other. What fields are extracted from the event?

---
If this reply helps you, Karma would be appreciated.

Parsing data from a search result to alert on

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?