All Apps and Add-ons

Has anyone created an Event Action for sessionid to pivot back to the Splunk App for NetWitness from Splunk?

rataide
Path Finder

Hi all,

I'm wondering if anyone created an Event Action for sessionId to pivot back to SA/NW from Splunk as this is a popular question.

It's not part of the app as it would always require customisation.

Thank you,

Rui

0 Karma
1 Solution

rataide
Path Finder

I have now created at few in case anyone finds this page in future.

[1SA_Session]
display_location = both
fields = sessionid
label = Show Session in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/reconstruction/$sessionid$/AUTO
type = link

[1SA_SrcIP]
display_location = both
fields = src_ip
label = Show Source $src_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.src=$src_ip$
type = link

[1SA_DstIP]
display_location = both
fields = dest_ip
label = Show Destination $dest_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.dst=$dest_ip$
type = link

[1SA_AliasHost]
display_location = both
fields = dest_host
label = Show $dest_host$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/alias.host=$dest_host$
type = link

Hope this helps.

Cheers,

Rui

View solution in original post

rataide
Path Finder

I have now created at few in case anyone finds this page in future.

[1SA_Session]
display_location = both
fields = sessionid
label = Show Session in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/reconstruction/$sessionid$/AUTO
type = link

[1SA_SrcIP]
display_location = both
fields = src_ip
label = Show Source $src_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.src=$src_ip$
type = link

[1SA_DstIP]
display_location = both
fields = dest_ip
label = Show Destination $dest_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.dst=$dest_ip$
type = link

[1SA_AliasHost]
display_location = both
fields = dest_host
label = Show $dest_host$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/alias.host=$dest_host$
type = link

Hope this helps.

Cheers,

Rui

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...