Splunk Enterprise Security

Using tokens within tokens in Notable Events

hunterar
Engager

I have created a workflow action to send a Notable Event to ServiceNow to create an incident. I am unable to figure out how to resolve nested tokens. For example, if the rule title for the correlation rule is "Host With A Recurring Malware Infection ($signature$ On $dest$)"  and I use:

`notable` 
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

what ends up in ServiceNow is "Host With A Recurring Malware Infection ($signature$ On $dest$)". The signature and dest tokens do not get expanded.  How can I tell it to recursively expand any tokens nested inside other tokens?

 

Labels (1)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

@hunterar 

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

  

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

@hunterar 

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

  

————————————
If this helps, give a like below.

hunterar
Engager

Thanks, that fixed it.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...