Hello,
Still trying to find a way to manage false positives in a search, I am leaning more and more towards an external file which could be looked up as part of a search to modify (filter) the search results.
Do you know of examples where, within a splunk search string there is a call to a script to which two parameters are passed and this script returns a value (boolean or other) which then influences the results? Something like (I know that the syntax is incorrect, I just want to give an idea of what I want to achieve):
... | eval IsFalsePositive = script CheckFalsePositives(host,vulnID) | search IsFalsePositive=0
The script documentation mentions that one can run a script which outputs some data. How this could be adapted to my case (what I provided is just my idea of how to handle this kind of search filtering - there may be better ways than to assign a variable which is then checked for its value)?. I also saw the article about handling inputs which could be adequate but the example (iplocate) is far from obvious.
Maybe it would be possible to direcly implement this in a splunk search (without a script)? Ideally the file would have the following content
machine_name,vulnerability
host1,vuln1
host5,*
*,vuln32
...
which would cover all reasonable cases (line 1: ignore vuln1 for host1, line 2: ignore all vulnerabilities for host 5, line 3: ignore all hosts for vulnerability vuln32).
Thank you!
... View more