About badadata1

badadata1 · ‎03-18-2015

@maciep so did this work for you to get an event splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1 or you did a differently. Somewhere I read _cd is not searchable only can filter Can you post the query you did to get an event from main using _cd From notable it is working, but not for standard events in main index

badadata1 · ‎03-18-2015

How do I return events from searching the Splunk internal field _cd ? For example, the following are the _cd values. I need to get the underlying events: 0:313124421 0:313124433 0:313124445 0:313124457 0:313124469 I tried this, but does not work: splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1 Are these values Splunk CIM values? I also tried: splunk_server=my-splunk index=main | `get_event_hash` | search event_hash=c8bb8cb52e3172fdcfe28d637a9c1a52 | head 1 The plan was to get an event using the event_hash from Notable results.

badadata1 · ‎03-15-2015

For Option 2 to get the Notable event details is there an API. Using the Scripting alert I can get the SID but not the Notable event details like rule_id, event_id, event_hash, urgency, severity etc. Looking for how to get the Notable event details using API and especially using sid got in the script alert. If related events also can be got along with notable details it is perfect

badadata1 · ‎03-15-2015

I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls. ie Notable events details and related events using an API with sid as the input parameter

badadata1 · ‎03-15-2015

Thanks Satish, I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls. Currently I am using a Scripted alert when a Notable is generated. This triggers a script and in the script I have the search ID and using the 8 Splunk provided ENV variables some more details on the events which caused the Notable event. But so far I have not seen an easy way to retrieve the Notable event details (event_id, rule_id, hash, urgency, severity etc) along with the incidents to an external ticketing system. Ideal way would be I have the sid using the Alerts in the scripts. Using that I call an API to get details on Notable events and related events and pass that info to an external system. and Is there a way to get the independent log line that triggered the Notable event (not the summary) Today I use this to get details of the search using sid https://splunk:8089/services/search/jobs/rt_scheduler__admin_REEtRVNTLUFjY2Vzc1Byb3RlY3Rpb24__RMD5b909c1462f27f19b_at_1425994278_5795/results So similar to this if I can call an API to get Notable event or Incident details along with related events using the sid ?

badadata1 · ‎03-13-2015

How to get details of a Notable event using API - event_id hash, rule_id, severity, urgency etc How to get a Notable event from a sid and how does a Notable event relate to an Incident Is there a way to get the related events, independent log lines that triggered the Notable event (not the summary)

Posts	6
Solutions	0
Karma Given	0
Karma Received	1
Member Since	‎03-13-2015

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

How can I search the Splunk internal field _cd to ...

How to get details of Notable event

Re: How can I search the Splunk internal field _cd...

How can I search the Splunk internal field _cd to ...

Re: Creating workflows using ES App

Re: How to get details of Notable event

Re: How to get details of Notable event

How to get details of Notable event