Splunk® Enterprise Security

Administer Splunk Enterprise Security

Expand tokens in findings in Splunk Enterprise Security

Tokens in the titles and descriptions of findings automatically expand in the analyst queue on the Mission Control page to include the values of the tokens. With the expandtoken search command, you can expand the tokens in any search that you run manually for findings. For example, using the notable macro, you can see the finding displayed in the same way as on the Mission Control page. The expandtokensearch command is intended for use in Splunk Web.

Description

Expand the fields in findings that contain tokens in the values, such as the title rule_name or description rule_description of a finding. Tokens automatically expand on the Mission Control page, but not within search.

Syntax

... | expandtoken [field],[field1],[field2]...

Optional argument

field

Description: The name of a field in the finding that contains a token to expand. Do not specify the name of the token. Specify additional fields separated by commas. If you do not specify a field, all fields are processed for tokens to expand. For a list of example fields in findings, see Using findings in search in the Splunk developer portal.

Usage

The expandtoken command is a streaming command.

Limitations

The search command does not support token delimiters in the middle of a field name.

If you have tokens dependent on the expansion of other tokens, those tokens might not be reliably expanded because you cannot specify the order in which tokens are expanded. For example, if you have a rule_description: "Brute force access behavior detected from $src$." and a drilldown_name: "See contributing events for $rule_description$", the following search might expand the $src$ token without expanding the $rule_description$ token.

`notable` | expandtoken

Examples

The following examples show usage of the expandtoken search command in Splunk Web.

Expand tokens for all findings

`notable` | expandtoken rule_title,rule_description,drilldown_name,drilldown_search

Expand tokens for a specific finding

Expand tokens for a specific finding based on the event_id field.

`notable` | where event_id="<event_id>" | expandtoken rule_title,rule_description

Expand tokens for a specific finding based on the short ID field.

`notable` | where notable_xref_id="<short ID>" | expandtoken rule_title,rule_description

See also

For more information about using tokens in Splunk Enterprise Security, see the product documentation:

Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.

Last modified on 22 August, 2024
Display annotations for findings and investigations in Splunk Enterprise Security   Create finding groups in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters