Activity Feed
- Posted How to use conditional search on Splunk Search. 01-13-2025 06:07 AM
- Posted How to retrieve a specific alert in Splunk Enterprise security apart from using Short ID method? on Splunk Enterprise Security. 10-01-2023 06:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
01-13-2025
06:07 AM
Hi All, I have a main search where name1 filed will have multiple values I need to run sub search based on the value of name1. The structure goes like this: mail_search which has name1=a sub search if name1=a then run search1 if name1=b then run search2 I have tried this with the following code: | makeresults | eval name1="a"
| eval condition=case(name1="a", "index=_internal | head 1 | eval val=\"Query for a1\" | table val",
name1="b", "index=_internal | head 1 | eval val=\"Query for b\" | table val", 1=1, "search index=_internal | head 1 | eval val=\"Default query\" | table val")
|table condition
| map search=$condition$ I am getting the following error Unable to run query '"index=_internal | head 1 | eval val=\"Query for a1\" | table val"'.
... View more
Labels
- Labels:
-
eval
10-01-2023
06:08 PM
Hi All, Is there a way to retrieve a specific alert without using short ID in the incident review page? I was thinking of using "rule_id" field or "event_hash" of the alert, but couldn't be able to pull the specific alert. Please suggest any other alternate method other than using short id. Thanks.
... View more
Labels
- Labels:
-
using Enterprise Security
