Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About michael3
michael3
Explorer
Member since:
03-04-2024
05-21-2025
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 03-04-2024 |
Activity Feed
- Posted Re: Search Within Results To Show Only Last Month on Splunk Search. 05-21-2025 07:32 AM
- Karma Re: Search Within Results To Show Only Last Month for martin_mueller. 05-21-2025 04:09 AM
- Karma Re: How to run btool as REST command or via Search GUI? for gabriel_vasseur. 10-24-2024 01:50 PM
- Posted Splunk automatically escaping the backslash character when creating/updating a snow ticket on All Apps and Add-ons. 06-13-2024 09:06 AM
- Karma Re: Is there a way to check a particular bit in a field that returns a hex value? for martin_mueller. 06-03-2024 01:38 AM
- Posted Re: compare current month count to a 3months average on Splunk Search. 05-28-2024 05:48 AM
- Karma Re: compare current month count to a 3months average for gcusello. 05-28-2024 05:47 AM
- Posted Re: Playbook format block not using filtered data on Splunk SOAR. 03-27-2024 10:08 AM
- Posted Re: Playbook format block not using filtered data on Splunk SOAR. 03-25-2024 07:58 AM
- Posted Playbook format block not using filtered data on Splunk SOAR. 03-25-2024 07:25 AM
- Karma Re: In the Splunk Add-on for ServiceNow, how do set extra custom fields when creating an incident? Specifically updating the description field. for chrisyounger. 03-08-2024 09:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
05-21-2025
07:32 AM
more than 10 years later, and this is still helping people. Thanks Martin!
... View more
06-13-2024
09:06 AM
I'm trying to set the Description field of a ServiceNow Incident ticket through Splunk, and the string I'm passing contains a newline (\n). But when Splunk creates/updates the ticket, either through the snowincident command or an action alert, it will automatically escape the backslash character. So after Splunk passes the info to snow, the underlying json of the ticket looks like this: {"description":"this is a \\n new line"} and my Description field looks like this: this is a \n new line Is this something that Splunk is doing, or the ServiceNow Add-On? Does anyone know of a way to get around this?
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
05-28-2024
05:48 AM
Thank you! This was exactly what I was looking for. Much easier than trying to use eventstats
... View more
03-27-2024
10:08 AM
Yes, this was it. The filter wasn't able to deal with the multiple levels in my data. I ended up replacing the filter with a code block that ran the same conditional statement and saved the positive matches to a new list (or, in my case, 5 lists for the 5 fields I needed). Then I fed those lists into the format block instead. Thanks for the help!
... View more
03-25-2024
07:58 AM
Quick update. I changed the format block to use format_3:formatted_data instead of formatted_data.*. The note looks a lot nicer, but it's still 500 items.
... View more
03-25-2024
07:25 AM
I'm using the Cisco FireAMP app to return the trajectory of an endpoint, and the data includes a list of all running tasks/files. For my test there are 500 items returned, with 9 marked as 'Malicious'. I'm trying to filter for those and write the details to a note. But the note always contains all 500 items, not just the 9. My filter block (filter_2) is this: if get_device_trajectory_2:action_result.data.*.events.*.file.disposition == Malicious My format block (format_3) is this: %%
File Name: {0}
- File Path: {1}
- Hash: {2}
- Category: {4}
- Parent: {3}
%% where each of the variables refer to the filter block e.g.: 0: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_name
1: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_path
2: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.identity.sha256
3: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.parent.file_name
4: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.detection Finally, I use a Utility block to add the note. The Utility block contents reference the format block: format_3:formatted_data.* The debugger shows this when running the filter block: Mar 25, 13:52:54 : filter_2() called
Mar 25, 13:52:54 : phantom.condition(): called with 1 condition(s) '[['get_device_trajectory_2:action_result.data.*.events.*.file.disposition', '==', 'Malicious']]', operator : 'or', scope: 'new'
Mar 25, 13:52:54 : phantom.get_action_results() called for action name: get_device_trajectory_2 action run id: 0 app_run_id: 0
Mar 25, 13:52:54 : phantom.condition(): condition 1 to evaluate: LHS: get_device_trajectory_2:action_result.data.*.events.*.file.disposition OPERATOR: == RHS: Malicious
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False
Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Clean' '==' 'Malicious' => result:False
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False
Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False so it looks like it's correctly identifying the malicious files. The debugger shows this when running the format block: Mar 25, 13:52:55 : format_3() called
Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_name'], scope: new and filter_artifacts: []
Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1
Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>]
Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_path'], scope: new and filter_artifacts: []
Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1
Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>]
Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.identity.sha256'], scope: new and filter_artifacts: []
Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1
Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>]
Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.parent.file_name'], scope: new and filter_artifacts: []
Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1
Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>]
Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.detection'], scope: new and filter_artifacts: []
Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1
Mar 25, 13:52:56 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>]
Mar 25, 13:52:56 : save_run_data() saving 136.29 KB with key format_3:formatted_data_
Mar 25, 13:52:56 : save_run_data() saving 140.23 KB with key format_3__as_list:formatted_data_ there are 9 malicious files and it looks like that's what it's saying in the debugger, so again it seems like it's using the filtered data correctly. But my note always has 500 items in it. I'm not sure what I'm doing wrong. Can anyone offer any help, because I'm stuck. Thanks.
... View more
Labels
- Labels:
-
troubleshooting
-
using SOAR ⁄ Phantom
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-21-2025
04:09 AM
|
