I use the below search command with email notification query:
src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path | stats list(file_path) list(time_detected) AS time by src user*
the email content will consist of the below information
Antivirus information:
Date (UTC-0): $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$
However, the result of email content will become below:
Antivirus information:
Date (UTC-0):
Machine name: BDDH2591
Username: chsab
Path:
The date and time details are missing.
What can be done?
@pinkyyu ,
The fields in your last stats
command and fields in your email do not match .
Field in email: $$result.time_detected$$
-> field in search time
Filed in email : $$result.file_path$$
-> Field in search list(file_path)
Change the search or change fields in email
e.g.
src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path
| stats list(file_path) as file_path,list(time_detected) AS time_detected by src user*
@pinkyyu ,
The fields in your last stats
command and fields in your email do not match .
Field in email: $$result.time_detected$$
-> field in search time
Filed in email : $$result.file_path$$
-> Field in search list(file_path)
Change the search or change fields in email
e.g.
src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path
| stats list(file_path) as file_path,list(time_detected) AS time_detected by src user*
but the format of the email notification is not good. any way to make it good?
Antivirus information:
Date (UTC-0): 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM
Machine name: BDDH2591
Username: chsab
Path: D:\100MSDCF.lnk D:\293267_2228137858557_1101133293_32911494_1364880061_n.lnk D:\autorun.lnk D:\Bank CV.lnk D:\Bio-Data of Shumi.lnk D:\Color Songs - .lnk D:\Copy of Shortcut to (1).lnk D:\Copy of Shortcut to (2).lnk D:\Copy of Shortcut to (3).lnk D:\Copy of Shortcut to (4).lnk D:\100MSDCF.lnk D:\293267_2228137858557_1101133293_32911494_1364880061_n.lnk D:\autorun.lnk D:\Bank CV.lnk D:\Bio-Data of Shumi.lnk D:\Color Songs - .lnk D:\DSC_0025.lnk D:\DSC_0027.lnk D:\DSC_0028.lnk D:\DSC_0173.lnk D:\DSC_0174.lnk D:\joined-all.lnk D:\Learn all Forms of Arabic Alphabet Letters (Beginning, Middle & End of a Word).lnk D:\MOA.lnk 😧
asim b day.lnk D:\Phonics Song .lnk D:\Pics.lnk D:\RECYCLER.lnk D:\rrrr.lnk D:\Rujaan b day.lnk D:\Ruma_CV.lnk D:\Saiful.lnk D:\SIVC.lnk D:\The Annoying Orange.lnk D:\Twinkle Twinkle Little Star.lnk D:\videoplayback_11.lnk D:\videoplayback_15.lnk D:\videoplayback_16.lnk
you may combine those multivalue field and then expand them to get one event per row. Also select Inline table for the result in email settings
src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path
| stats list(file_path) as file_path,list(time_detected) AS time_detected by src user*
| eval x=mvzip(file_path,time_detected,"#")|table src,user,x
| mvexpand x|rex field=x "(?<file_path>.+)#(?<time_detected>.+)"|fields - x
after testing the modified search, the format in email is the same. All file paths are shown together.
Date (UTC-0): 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM
Machine name: BDDH2591
Username:
Path: D*:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\100MSDCF.lnk D:\COOL.vbs D:\COOL.vbs D:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\100MSDCF.lnk D:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\COOL.vbs D:\100MSDCF.lnk*
How are you getting this in the result from splunk search head? Are these in single filed or multiple rows? And are you sending them in table
in email ?
i created a dashboard and use below command with mentioned search command to trigger the email notification via dashboard
|sendemail to="$email$," from="XXX@com>" subject="Information ($case_id$)" message="Dear $name$,
Details:
Date (UTC-0): $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$