Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Script that Writes Splunk Query Based on Alerts' Results

SarSec
New Member
‎10-06-2024 05:47 AM

Greetings ,

Does anyone know if it's possible to create a script that writes splunk search quey based on the alerts results / table, for example:

"Multiple Failure Attempts"  uses "Authentication" data model to display results and only shows specific fields as : username , total failure attempts, source ip, destination..etc.

But I want to conduct more investigation and check raw logs to see more fields so I have to write a new search query with specifying fields and their values to get all information. (index=* sourcetype=xxx user=xxx dest=xxx srcip=xxx) then look for more fields under the displayed results. And I would like to automate this process.

Any suggestions for Apps, Scripts, recommended programming language? 

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2024 10:38 PM

@PickleRick is correct that you cannot "automate" this from outside of Splunk because the nature of an alert is not to carry all context. (Otherwise you wouldn't be asking this question.)

Meanwhile, I will take a totally different approach from your stated approach.   Start from this dummy "alert" as an example.

index=_internal log_level=ERROR earliest=-5m
| stats count
| where count > 50
| sendalert dummyaction

If, say, every time this alert is triggered, you want a search to give you all raw events used in this alert to your email.  Schedule the following the same way the alert is scheduled:

index=_internal log_level=error earliest=-5m
| stats count
| where count > 100
| map search search="search index=_internal log_level=error earliest=-5m"
| sendemail to="elvis@splunk.com" sendresults=true

There are many ways to refine and develop this idea, many different commands to choose from and many ways to customize according to what additional information you need for your investigation.  The bottom line is: You don't run a "script" (to respond to a triggered alert).  Just use the same filter to trigger an action that gives you the appropriate level of detail.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2024 08:18 AM

As a general task it's simply impossible. How are you supposed to know whether your results come from a search

index=windows | stats count

or

| makeresults | eval count=10 | table count

Ok, this is an extreme example but should show my point fairly well - without a lot of assumptions you can't know what data the results came from.

The main issue with your problem is not the tool (although you probably want something that has ready-made libraries to interface with Splunk so you don't have to reinvent the wheel). The main issue is the method you'd want to use to build such search. This is something you'd have to give the most consideration to.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...