Splunk Enterprise Security

How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

laleger
Explorer

I would like to create a dashboard that displays notable event titles as seen on the Incident Review dashboard. Is there an easy way to take the rule_title that is available via the "notable" macro and show token values?

For example, the rule_title from notable macro will show a value such as: "Bad thing by $src_ip$"

But the value I really want to show is: "Bad thing by 192.168.1.1"

I understand that Splunk is probably not storing the latter anywhere (at least not anywhere I can find), but how could I get Splunk to show the value of the token in the same field?

1 Solution

micahkemp
Champion

My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):

from splunklib.searchcommands import \
    dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template

class MyTemplate(Template):
    pattern = r'\$(?P<named>[^$]+)\$'

@Configuration(local=True)
class TemplateCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            for fieldname in self.fieldnames:
                template = MyTemplate(record[fieldname])
                substituted = template.safe_substitute(record)
                record[fieldname] = substituted
            yield record

dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)

The command would be run like this (I think):

<notable search> | template src_ip dest_ip <...>

View solution in original post

micahkemp
Champion

My custom search command (very quickly done during an evaluation, so it's up to you to sanity check it):

from splunklib.searchcommands import \
    dispatch, StreamingCommand, Configuration, Option, validators
import sys
from string import Template

class MyTemplate(Template):
    pattern = r'\$(?P<named>[^$]+)\$'

@Configuration(local=True)
class TemplateCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            for fieldname in self.fieldnames:
                template = MyTemplate(record[fieldname])
                substituted = template.safe_substitute(record)
                record[fieldname] = substituted
            yield record

dispatch(TemplateCommand, sys.argv, sys.stdin, sys.stdout, __name__)

The command would be run like this (I think):

<notable search> | template src_ip dest_ip <...>

smeier
Path Finder

Researching this exact problem and stumbled upon something that may help future searchers..

expandtoken command, new for ES 5

http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Expandtoken

laleger
Explorer

I was hoping that I wouldn't have to go this route, but looks like this is definitely a possible solution. Do you recall the URL/title for the post from martin_mueller? I couldn't find it.

0 Karma

micahkemp
Champion

martin_mueller posted a way to do this using macros, but I used a custom search command to do variable replacement.

Oops, I meant to post this as a comment. This is certainly not an answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...