Activity Feed
- Got Karma for How to get details of Notable event. 06-05-2020 12:47 AM
- Posted Re: How can I search the Splunk internal field _cd to return certain events? on Splunk Search. 03-18-2015 10:08 PM
- Posted How can I search the Splunk internal field _cd to return certain events? on Splunk Search. 03-18-2015 07:08 AM
- Tagged How can I search the Splunk internal field _cd to return certain events? on Splunk Search. 03-18-2015 07:08 AM
- Tagged How can I search the Splunk internal field _cd to return certain events? on Splunk Search. 03-18-2015 07:08 AM
- Tagged How can I search the Splunk internal field _cd to return certain events? on Splunk Search. 03-18-2015 07:08 AM
- Tagged How can I search the Splunk internal field _cd to return certain events? on Splunk Search. 03-18-2015 07:08 AM
- Posted Re: Creating workflows using ES App on Splunk Enterprise Security. 03-15-2015 11:03 PM
- Posted Re: How to get details of Notable event on Splunk Search. 03-15-2015 09:26 PM
- Posted Re: How to get details of Notable event on Splunk Search. 03-15-2015 09:24 PM
- Posted How to get details of Notable event on Splunk Search. 03-13-2015 03:14 AM
- Tagged How to get details of Notable event on Splunk Search. 03-13-2015 03:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 |
03-18-2015
10:08 PM
@maciep so did this work for you to get an event
splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1
or you did a differently. Somewhere I read _cd is not searchable only can filter
Can you post the query you did to get an event from main using _cd
From notable it is working, but not for standard events in main index
... View more
03-18-2015
07:08 AM
How do I return events from searching the Splunk internal field _cd ?
For example, the following are the _cd values. I need to get the underlying events:
0:313124421 0:313124433 0:313124445 0:313124457 0:313124469
I tried this, but does not work:
splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1
Are these values Splunk CIM values?
I also tried:
splunk_server=my-splunk index=main | `get_event_hash` | search event_hash=c8bb8cb52e3172fdcfe28d637a9c1a52 | head 1
The plan was to get an event using the event_hash from Notable results.
... View more
03-15-2015
11:03 PM
For Option 2 to get the Notable event details is there an API.
Using the Scripting alert I can get the SID but not the Notable event details like rule_id, event_id, event_hash, urgency, severity etc.
Looking for how to get the Notable event details using API and especially using sid got in the script alert.
If related events also can be got along with notable details it is perfect
... View more
03-15-2015
09:26 PM
I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls. ie Notable events details and related events using an API with sid as the input parameter
... View more
03-15-2015
09:24 PM
Thanks Satish, I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls.
Currently I am using a Scripted alert when a Notable is generated. This triggers a script and in the script I have the search ID and using the 8 Splunk provided ENV variables some more details on the events which caused the Notable event.
But so far I have not seen an easy way to retrieve the Notable event details (event_id, rule_id, hash, urgency, severity etc) along with the incidents to an external ticketing system. Ideal way would be I have the sid using the Alerts in the scripts. Using that I call an API to get details on Notable events and related events and pass that info to an external system.
and Is there a way to get the independent log line that triggered the Notable event (not the summary)
Today I use this to get details of the search using sid
https://splunk:8089/services/search/jobs/rt_scheduler__admin_REEtRVNTLUFjY2Vzc1Byb3RlY3Rpb24__RMD5b909c1462f27f19b_at_1425994278_5795/results
So similar to this if I can call an API to get Notable event or Incident details along with related events using the sid ?
... View more
03-13-2015
03:14 AM
1 Karma
How to get details of a Notable event using API - event_id hash, rule_id, severity, urgency etc
How to get a Notable event from a sid and how does a Notable event relate to an Incident
Is there a way to get the related events, independent log lines that triggered the Notable event (not the summary)
... View more
- Tags:
- notable
