Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Expand tokens in notable events using the expandtoken command

Tokens in notable event titles and descriptions automatically get expanded to include the values of the tokens on the Incident Review dashboard. With the expandtoken search command, you can expand the tokens in so that token replacement happens in your search results. The expandtokensearch command is intended for use in Splunk Web.

Description

Expand the fields in notable events that contain tokens in the values, such as the title (rule_name) or description (rule_description) of a notable event. Tokens are automatically expanded on the Incident Review dashboard, but not within search.

Syntax

... | expandtoken [field],[field1],[field2]...

Optional argument

field

Description: The name of a field in the notable event that contains a token to expand. Do not specify the name of the token. Specify additional fields separated by commas. If you do not specify a field, all fields are processed for tokens to expand. For a list of example fields in notable events, see Using notable events in search in the Splunk developer portal.

Usage

The expandtoken command is a streaming command.

Limitations

The search command does not support token delimiters in the middle of a field name.

If you have tokens dependent on the expansion of other tokens, those tokens might not be reliably expanded because you cannot specify the order in which tokens are expanded. For example, if you have a rule_description: "Brute force access behavior detected from $src$." and a drilldown_name: "See contributing events for $rule_description$", the following search might expand the $src$ token without expanding the $rule_description$ token.

`notable` | expandtoken

For more information about tokens, see Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.

Examples

The following examples show usage of the expandtoken search command in Splunk Web.

Expand tokens for all notable events

`notable` | expandtoken rule_title,rule_description,drilldown_name,drilldown_search

Expand tokens for a specific notable event

Expand tokens for a specific notable event based on the event_id field.

`notable` |where event_id="<event_id>" | expandtoken rule_title,rule_description

Expand tokens for a specific notable event based on the short ID field.

`notable` | where notable_xref_id="<short ID>" | expandtoken rule_title,rule_description

See also

For a list of example fields in notable events, see Using notable events in search in the Splunk developer portal.

For more information about tokens, see Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.

PREVIOUS
Customize notable event settings in Splunk Enterprise Security
  NEXT
Manage investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Comments

Hi @Pongc. The investigation is complete. I have updated the docs to reflect that the expandtoken search command is intended for use in Splunk Web.

Lkutch splunk, Splunker
May 9, 2019

Thanks for asking about this @Pongc. I sent you an email with my follow up questions. I am opening a ticket to investigate.

Lkutch splunk, Splunker
May 6, 2019

Would help if there can be a note added on how to handle tokens which have values which can have multiline values, eg $dest$. They return okay on the UI but through API, it is broken into multiple lines.

Pongc
May 6, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters