Re: Demisto Add-on for Splunk: Search gets replace...

vrajshekar · ‎06-02-2020

I have integrated Splunk with Demisto. I am trying to run the below search from Demisto:

source="squid" clientip="xxx" | where server_ip IN(${DBotAvgScore.Indicator}) | stats count by server_ip
DBotAvgScore.Indicator is an array that contains the below values
["204.79.197.200","13.107.18.254","117.18.237.29","13.107.21.200","104.16.133.229","35.241.8.149","52.88.91.154","104.17.211.204","209.197.3.15"]

The search gets replaced with the value of the array and fails to run because of '['.

I am stuck here. I would appreciate any help.

kamlesh_vaghela · ‎06-02-2020

@vrajshekar

With assumption of DBotAvgScore.Indicator is your dashboard token that contains the array values I have designed search string. Can you please try this? Use this search in your panel.

 source="squid" clientip="xxx" [| makeresults | eval server_ip=replace($DBotAvgScore.Indicator|s$,"\[|\]|\"","") | eval server_ip = split(server_ip,",") | stats count by server_ip | table server_ip] | | stats count by server_ip

Thanks

vrajshekar · ‎06-02-2020

Below is DBotAvgScore array, that is present in the context data

DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3

vrajshekar · ‎06-02-2020

Hi @kamlesh_vaghela

I tried this and it did not work, > DBotAvgScore.Indicator is array that is present in the Context data of Demisto.
Splunk Search on demisto threw an error.

kamlesh_vaghela · ‎06-02-2020

@vrajshekar

Can you please share sample data and xml? So I can help you more on that,

vrajshekar · ‎06-03-2020

i am unable to share the sample data here for some reason.

vrajshekar · ‎06-03-2020

@kamlesh_vaghela
Sample data below, hope this helps
DBotAvgScore array, this is available in the context data.

DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3

vrajshekar · ‎06-02-2020

The error is get is
Error in 'SearchParser': Missing a search command before '"'. Error at position '95' of search query 'search source="squid" clientip="xxxx" serv...{snipped} {errorcontext = er_ip IN(["204.79.197}'.

Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run.

search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases