Multi-record, custom field Splunk alert examples
When you are creating multiple record Splunk alerts with custom fields, you need to define search criteria for generating alert data. Examples of search criteria for security incidents and security events are shown.
Security incident search
For a security incident, this criteria builds a search to fill in columns in the security incident table.
host=Development source="/CodeArchive/password/password_decrypt.cpp" |
eval contact_type="Monitoring" |
eval cmdb_ci=host |
eval subcategory="Sensitive Data Monitoring" |
eval description=_raw |
eval source_ip=found_ipSecurity event search
For a security event, this is the same search, but it populates Event fields instead. If this event is turned into a security incident, and any fields that do not exist in the event are populated, they are transferred to the security incident. Otherwise, they remain in the additional information field of the event and alert.
host=Development source="/CodeArchive/password/password_decrypt.cpp" |
eval type="Monitoring" |
eval node=host |
eval source=source
eval subcategory="Sensitive Data Monitoring" |
eval description=_raw |
eval source_ip=found_ip 注:
The search criteria you use will add as many records as are found in the search. It may
add 5 or 10,000,000,000 records. So this is NOT a recommended method for the bulk tranfer of
data. The intent of this method is to add one record per REST call into the ServiceNow
instance.