Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SPL query to track status change

pruthviraj_k_m
Engager
a week ago

Hi,

I just wanted to know, is it possible to track the status change in any of the notables? If so, which log source(index) I need to run the query on? (Particularly the status change from "In Progress" to "Resolved") I want this to export the data to SOAR to make this event trigger a playbook on SOAR whenever a notable gets resolved.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Monday

Hi @pruthviraj_k_m ,

let me understand: which changes do you want to track?

Anyway:

  • notable creations are recorded in the notable index,
  • status changes are recorded in the incident_updates_lookup,
  • notes are recorded in the mc_notes lookup.

You can find a starting point in this my old answer: https://community.splunk.com/t5/Monitoring-Splunk/Need-help-with-Splunk-query-for-MTTD-and-MTTT-per-...

or in this search:

index=_audit source=mc_notes
| eval json_blob=replace(_raw,"\\\\\"","\"")
| rex field=json_blob "\"notable_id\":\s*\"(?<notable_id>[^\"]+)"
| rex field=json_blob "\"content\":\s*\"(?<note_value>[^\"]+)"
| eval note_value = urldecode(note_value)
| rex field=json_blob "\"username\":\s*\"(?<user_value>[^\"]+)"
| join type=left notable_id
    [ search index=notable
    | rename source_event_id as notable_id ]
| table note_value user_value orig_rule_title

Obviously, these are only starting point to create your own search.

Ciao.

Giuseppe

Reply

pruthviraj_k_m
Engager
Monday

Thanks @gcusello 

I tried to run a query something like this:

| inputlookup incident_updates_lookup
| eval source_guid_in_lookup=mvindex(split(rule_id, "@@notable@"), 0)
| join type=left source_guid_in_lookup [
search index=notable
| rename source_guid as source_guid_in_lookup
]
| table rule_id, source_guid_in_lookup, source_event_id, status

By this, I want to fetch the source_event_id(notable_id). If I split the rule_id at "@@notable@" the first part would match the source_guid field in notable index. But when I ran this query, I was not able to get any source_event_id. That column returns no entry.

Could you please help me to modify this query? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Monday

Hi @pruthviraj_k_m ,

at first, never use a join because it is very slow and expensive.

Then if you must use a join don't start with the lookup, because the subsearch has the limit of 50,000 results.

Using the lookup command you have a left join.

Please adapt to your situation something like this (I cannot test the search because I haven't your data),

index=notable
| lookup incident_updates_lookup rule_id AS source_guid  
| table rule_id, source_guid_in_lookup, source_event_id, status

 I don't know the relation between rule_id (in lookup) and source_guid (in index).

Ciao.

Giuseppe

0 Karma
Reply

pruthviraj_k_m
Engager
Monday

I have rule_id and If I split the rule_id with delimiter "@@notable" the first part will match the values of source_guid in notable index. 

0 Karma
Reply

tscroggins
Champion
Saturday

Hi @pruthviraj_k_m,

I commented on tracking status changes circa ES 7.0. The searches may still be applicable today. See https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-a-Dashboard-that-will-show-....

0 Karma
Reply

avishkarsalve30
Engager
Saturday

Hello Bro,

I am a fresher in SOC and I want to practice on Splunk Enterprise. I need datasets for practicing Splunk. Can you suggest or provide links to download demo Windows and Linux logs in a proper format for practice 😅

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
Monday

Hi @avishkarsalve30 

this post is to discuss a different issue and you should not deviate from the topic or better you should start a new post for your question. 

also pls search before asking a question, as your question was discussed multiple times, thanks. 

 

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of May 2026, my Karma Given is 2312 and my Karma Received is 497, lets revamp the Karma Culture!
Thanks and best regards, Sekar
--------------------------------------------------------------------------------------------

Reply

inventsekar
SplunkTrust
SplunkTrust
a week ago

Hi @pruthviraj_k_m 

could you pls check

index=notable


for a particular notable event (i believe for a selected notable event, there will be a "In Progress" and a "Resolved" )

from the documentations:

The notable event is stored in a dedicated "notable" index (which is implemented as a summary index in Splunk Enterprise)

https://docs.splunk.com/Documentation/ES/7.3.2/Install/Indexes

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of May 2026, my Karma Given is 2312 and my Karma Received is 497, lets revamp the Karma Culture!
Thanks and best regards, Sekar
--------------------------------------------------------------------------------------------

0 Karma
Reply

pruthviraj_k_m
Engager
a week ago

I tried with index=notable. I couldn't see the status change fields for all the notables.

Does splunk store all the changes made to a notable event? Is there anything like audit log which keeps tracks of every changes into the events?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
a week ago

Hi @pruthviraj_k_m 

Could you pls check these common Audit Log Search Examples
  • Track Notable Status Changes:
    index=notable | table _time, owner, severity, status, rule_title
  • Identify Who Modified a Notable Event:
    index=_audit action=edit notable ...
  • Monitor User Login/Logout (Included in Audit):
    index=_audit action=login


    ----------------------------------------------------------------------------------------------
    If this post or any post addressed your question, could you pls:
    Give it karma to show appreciation

    PS - As of May 2026, my Karma Given is 2312 and my Karma Received is 497, lets revamp the Karma Culture!
    Thanks and best regards, Sekar
    --------------------------------------------------------------------------------------------


0 Karma
Reply

pruthviraj_k_m
Engager
a week ago

When I tried first query, it did show me the time and severity. But there was no single entry for owner, status and rule_title field. For other two queries, no results at all.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
a week ago

Hi @pruthviraj_k_m 

>>>When I tried first query, it did show me the time and severity.

Could you pls copy paste the search query output here(remove hostnames, sensitive details etc..)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...