Expand tokens in notable events using the expandtoken command
Tokens in notable event titles and descriptions automatically get expanded to include the values of the tokens on the Incident Review dashboard. With the expandtoken
search command, you can expand the tokens in any search that you run manually for notable events, say using the notable macro. The notable is displayed in the same way as it is displayed by the Incident Review dashboard. The expandtoken
search command is intended for use in Splunk Web.
Description
Expand the fields in notable events that contain tokens in the values, such as the title (rule_name
) or description (rule_description
) of a notable event. Tokens are automatically expanded on the Incident Review dashboard, but not within search.
Syntax
... | expandtoken [field],[field1],[field2]...
Optional argument
field
- Description: The name of a field in the notable event that contains a token to expand. Do not specify the name of the token. Specify additional fields separated by commas. If you do not specify a field, all fields are processed for tokens to expand. For a list of example fields in notable events, see Using notable events in search in the Splunk developer portal.
Usage
The expandtoken
command is a streaming command.
Limitations
The search command does not support token delimiters in the middle of a field name.
If you have tokens dependent on the expansion of other tokens, those tokens might not be reliably expanded because you cannot specify the order in which tokens are expanded. For example, if you have a rule_description: "Brute force access behavior detected from $src$." and a drilldown_name: "See contributing events for $rule_description$", the following search might expand the $src$ token without expanding the $rule_description$ token.
`notable` | expandtoken
For more information about tokens, see Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.
Examples
The following examples show usage of the expandtoken
search command in Splunk Web.
Expand tokens for all notable events
`notable` | expandtoken rule_title,rule_description,drilldown_name,drilldown_search
Expand tokens for a specific notable event
Expand tokens for a specific notable event based on the event_id field.
`notable` | where event_id="<event_id>" | expandtoken rule_title,rule_description
Expand tokens for a specific notable event based on the short ID field.
`notable` | where notable_xref_id="<short ID>" | expandtoken rule_title,rule_description
See also
For a list of example fields in notable events, see Using notable events in search in the Splunk developer portal.
For more information about tokens, see Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.
Customize notable event settings in Splunk Enterprise Security | Manage investigations in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!