Giter Club home page Giter Club logo

sa-token_replacement's Introduction

As of Splunk Enterprise Security 5.0 and greater, this app has been deprecated in favor of native expandtoken command that ships with the product.

expandtoken usage

For targeted fields:

 | localop | stats count

 | eval rule_title="hello $name$", rule_description="this means $name$, is $value$"
 | eval name="vladimir", value="awesome"

 | expandtoken rule_title rule_description

For any field:

 | localop | stats count

 | eval rule_title="hello $name$", rule_description="this means $name$, is $value$"
 | eval name="vladimir", value="awesome"

 | expandtoken

Into

Allows $token$ replacement with field values

Disclaimer

Command should be treated as prototype/example. Has not been fully tested, no logging exists.

Usage

 | localop | stats count

 | eval rule_title="hello $name$", rule_description="this means $name$, is $value$"
 | eval name="vladimir", value="awesome"

 | replacetokens fields="rule_title,rule_description"

OR

index="notable"

| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW security_domain, severity, rule_name, description as savedsearch_description, rule_title, rule_description, drilldown_name, drilldown_search, drilldown_earliest_offset, drilldown_latest_offset, default_status, default_owner, next_steps, recommended_actions

| replacetokens fields="rule_title,rule_description"

Screenshot

SA-token_replacement_overview

Legal

  • Splunk is a registered trademark of Splunk, Inc.

sa-token_replacement's People

Contributors

hire-vladimir avatar

Stargazers

avatar Anthony Tellez avatar

Watchers

James Cloos avatar avatar

sa-token_replacement's Issues

when item to be substituted is an mv field, exception is generated 

| localop | stats count | eval my_field="foo,bar" | makemv delim="," my_field

| eval rule_title="hello $my_field$"
| replacetokens fields="rule_title"

tosses

TypeError: expected a string or other character buffer object

As a workaround, convert MV field into a string per below

| eval my_field=mvjoin(my_field, ",")

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.