Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Expand tokens in notable events using the expandtoken command

Tokens in notable event titles and descriptions automatically get expanded to include the values of the tokens on the Incident Review dashboard. With the expandtoken search command, you can expand the tokens in any search that you run manually for notable events, say using the notable macro. The notable is displayed in the same way as it is displayed by the Incident Review dashboard. The expandtokensearch command is intended for use in Splunk Web.

Description

Expand the fields in notable events that contain tokens in the values, such as the title (rule_name) or description (rule_description) of a notable event. Tokens are automatically expanded on the Incident Review dashboard, but not within search.

Syntax

... | expandtoken [field],[field1],[field2]...

Optional argument

field

Description: The name of a field in the notable event that contains a token to expand. Do not specify the name of the token. Specify additional fields separated by commas. If you do not specify a field, all fields are processed for tokens to expand. For a list of example fields in notable events, see Using notable events in search in the Splunk developer portal.

Usage

The expandtoken command is a streaming command.

Limitations

The search command does not support token delimiters in the middle of a field name.

If you have tokens dependent on the expansion of other tokens, those tokens might not be reliably expanded because you cannot specify the order in which tokens are expanded. For example, if you have a rule_description: "Brute force access behavior detected from $src$." and a drilldown_name: "See contributing events for $rule_description$", the following search might expand the $src$ token without expanding the $rule_description$ token.

`notable` | expandtoken

For more information about tokens, see Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.

Examples

The following examples show usage of the expandtoken search command in Splunk Web.

Expand tokens for all notable events

`notable` | expandtoken rule_title,rule_description,drilldown_name,drilldown_search

Expand tokens for a specific notable event

Expand tokens for a specific notable event based on the event_id field.

`notable` | where event_id="<event_id>" | expandtoken rule_title,rule_description

Expand tokens for a specific notable event based on the short ID field.

`notable` | where notable_xref_id="<short ID>" | expandtoken rule_title,rule_description

See also

For a list of example fields in notable events, see Using notable events in search in the Splunk developer portal.

For more information about tokens, see Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.

Last modified on 09 January, 2024
Customize notable event settings in Splunk Enterprise Security   Manage investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters