Guys, I've created a dashboard where I hunt IOCs from OTX intelligence across several logs in Splunk. This dashboard initially was created to show is some IOC was found, and once we click in the number (stats count command) , then the drilldown executes a second query giving us more information (|table command) However, besides that, I want the dashboard send us an email in case the count >0 every time, then I used sendemail, however, I cant use the sendemail command where the stats count command is because I will receive an email only with the number 😞 so, I thought about using the sendemail in the second query, however, it only will send the email if one of us CLICK in the number , so, I was trying to find a way to turn the drilldown more automatic, which means, once the result >0, automatically the drilldown would be activated without clicking. I am wonder if this is possible , or if there is other solution that I can use without giving up the design of the dashboard? Below the dashboard source: (pay attention to the lookup that I am doing for domain) <form theme="dark"> <label>_My company_IOC hits by OTX</label> <description>(proxy, Firewalls, load balancers)</description> <fieldset submitButton="true"> <input type="time" token="time"> <label>Time Range</label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <input type="text" searchWhenChanged="true" token="wild"> <label>Wildcard Search</label> <default>*</default> </input> </fieldset> <row> <panel> <title>My Tool</title> <single> <title>Hits by URL</title> <search> <query>index = XXX_XXX_My Tool_proxy_all_01 sourcetype=My Toolnss-web action=Allowed [|inputlookup OTX | search type=URL | rename indicator as url | table url] |dedup user |stats count</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <refresh>300s</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x65a637","0xd93f3c"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="underLabel">URL</option> <option name="useColors">1</option> <drilldown> <set token="alert">index = XXX_XXX_My Tool_proxy_all_01 sourcetype=My Toolnss-web action=Allowed [|inputlookup OTX | search type=URL | rename indicator as url | table url] | dedup user | table _time, url, user, src, serverip, ClientIP</set> </drilldown> </single> </panel> <panel> <title>My Tool</title> <single> <title>Hits by Domain/Hostname</title> <search> <query>index = XXX_XXX_My Tool_proxy_all_01 sourcetype=My Toolnss-web action=Allowed [|inputlookup OTX | search type=domain OR type=hostname | rename indicator as hostname | table hostname] |dedup user |stats count</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <refresh>200s</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x65a637","0xd93f3c"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="underLabel">URL</option> <option name="useColors">1</option> <drilldown> <set token="alert">index = XXX_XXX_My Tool_proxy_all_01 sourcetype=My Toolnss-web action=Allowed [|inputlookup OTX | search type=domain OR type=hostname | rename indicator as hostname | table hostname] |dedup user | table _time, hostname, domain, user, serverip, ClientIP |sendemail to="myaddress@mydomamin.com" server=smtp.server.co.nz subject="OTX - My Tool Notification - IOC found by Domain" message="This is an test message" sendresults=true inline=true format=csv</set> </drilldown> I really appreciate any help or idea. thanks Luciana
... View more