how to write search query to get notable events ba...

shravankumarkus · ‎08-01-2019

How do we write search query to get notable events based on last modified time for a correlation rule ?

I want to see notable events based on modifications to the notable event like status update, comment, priority change etc.

Is there a way to get notable events based on modified time instead of earliest and latest times and i would need all fields from notable index?

i found review_time field get updated when we change some field via incident review tab in Splunk ES ?

how do we we write query to get review_time > some epoch time

 <field k='review_time'>
            <value>
                <text>1564640460.15607</text>
            </value>
            <value>
                <text>1564638955.786255</text>
            </value>
            <value>
                <text>1564638489.151153</text>
            </value>
        </field>

jawaharas · ‎08-01-2019

You can use the macro incident_review or below query (expantion of the macro) to view notable events based on modified time.

| inputlookup append=T incident_review_lookup 
| rename user as reviewer 
| `get_realname(owner)` 
| `get_realname(reviewer)` 
| eval nullstatus=if(isnull(status),"true","false") 
| `get_reviewstatuses` 
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status) 
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label) 
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description) 
| eval _time=time 
| `uitime(time)` 
| fields - nullstatus

shravankumarkus · ‎08-01-2019

Thanks @jawaharas

can you please give me a query using incident_review macro to get based on last modified timestamp and to get all the fields of notable event? I'm very new to this and it's difficult for me to understand the expansion

basically i have to get notable events modified for a correlation rule

jawaharas · ‎08-01-2019

Try below query.

|`incident_review`
| eval last_modified_timestamp=strftime('_time', "%m/%d/%Y %H:%M:%S")
| fields - time

shravankumarkus · ‎08-01-2019

thanks 🙂

i would need all fields from notable index for a notable event and having ( last modified timestamp greater than some configurable time ), basically i have to pass configurable time

jawaharas · ‎08-01-2019

Questions:
1. Can you list down the fields you need from notable index?
2. Will you hardcode the 'configurable time' value in the query?

shravankumarkus · ‎08-02-2019

basically all fields from notable index, fields *
yes i will calculate last modified from code, so it would be kind of hardcoded in search query

basically i'm firing a REST query from our code

jawaharas · ‎08-03-2019

@shravankumarkusuma

I don't think you will get 'notable' events fields with 'incident_review' macro. Anyway, you can get the 'incidents' whose modified time is greater than given time (myTime variable in this case).

|`incident_review`
| eval last_modified_timestamp=_time 
| eval myTime=relative_time(time(),"-3d") 
| where last_modified_timestamp>myTime 
| fields - time

jawaharas · ‎08-04-2019

@shravankumarkusuma

Can you accept the answer if it's helped you? Thanks.

simon_lavigne · ‎03-30-2020

To expand on @jawaharas answer you can pass the rule_id value from the incident_review macro to the notable_by_id macro to retrieve the notable details.

| `incident_review` 
| eval last_modified_timestamp=_time 
| eval myTime=relative_time(time(),"-4h") 
| where last_modified_timestamp>myTime 
| fields - time 
| map search=" search `notable_by_id($rule_id$)`"

how to write search query to get notable events based on last modified time for a correlation rule?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life