Knowledge Management

How to assign/tag severity to an eventtype without using lookup tables

anssntaco
Path Finder

Is it possible to define a severity level to an eventtype without using a lookup table? The purpose would be so that, when I run a single, generic searches that provides the ability to report/alert on multiple of these eventtypes, I can differentiate between the severity of each.

Without severity

Currently, the search looks something like this:

index=myindex source=thisone eventtype=eventtype* | stats count by host eventtype

The results would look like this (in csv)

  • HOST,EVENTTYPE,COUNT
  • host1,eventtype1,count
  • host1,eventtype2,count
  • host2,eventtype1,count
  • host2,eventtype3,count

With severity

Through some method, there'd be an eventtype -> severity mapping like this:

  • eventtype1 -> 5
  • eventtype2 -> 4
  • eventtype3 -> 4

index=myindex source=thisone eventtype=eventtype* | stats count by host eventtype severity

The results would look like this (in csv)

  • HOST,EVENTTYPE,SEVERITY,COUNT
  • host1,eventtype1,5,count
  • host1,eventtype2,4,count
  • host2,eventtype1,5,count
  • host2,eventtype3,4,count

Short of creating a separate lookup table (which is definitely possible, it would just be more complicated operational process to update), what's the best method for creating that mapping? For example, I was hoping it might be possible to use tags for this. For example, I know you can't assign values to tags (e.g. tag::severity=5), but I thought we might be able to create hierarchical tags (e.g. tag::severity::5).

Tags (1)
0 Karma

starcher
SplunkTrust
SplunkTrust

I am unclear why you are avoiding a lookup table. You could create your table as a simple two column csv and have it auto lookup based on the event type value. And if you put this all in an "app" that you send through deployment server you have to only maintain it all in one spot. If you ever get into the TAs for the enterprise security or pci app you will find this is how they function. Make a lookup table leveraged by the sourcetype, define eventtypes, maybe assign tags based on eventtype but tags are not what you need here. The auto lookup is.


severity.csv in your lookups folder

eventtype,severity
eventtype1,5
eventtype2,4
eventtype3,4
eventtype4,2


add an eventtypes.conf

[eventtype1]
search = index=myindex source=thisone somethingthatmeansthistype

[eventtype2]
search = index=myindex source=thisone somethingelsethatmeansthistype

[eventtype3]
search = index=myindex source=thisone anothersomethingelsethatmeansthistype


edit your props.conf
adding an automatic lookup definition.
LOOKUP-severity_from_eventtype = eventseveritylookup eventtype OUTPUT severity


edit your transforms.conf
[eventseverirtylookup]
filename = severity.csv

anssntaco
Path Finder

... That's not to say that isn't workable, I was just hoping for a way this would be possible without going there.

Hope that explains things a little better. Thanks for your help though!

0 Karma

anssntaco
Path Finder

The reason for the aversion to lookup tables is how this would be supported operationally. Our list of eventtypes is a constantly growing list with contributions coming from multiple different teams.

Using lookup tables means the tables need to be manually updated every time a new eventtype is created. Since there doesn't exist (AFAICT) a way to edit lookup tables through the UI, these edits would need to either a) happen on the search heads, or b) remotely, then have the updated file pushed to the search heads. Either way, that sounds like a fair amount of overhead...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...