Expand tokens in findings in Splunk Enterprise Security
Tokens in the titles and descriptions of findings automatically expand in the analyst queue on the Mission Control page to include the values of the tokens. With the expandtoken
search command, you can expand the tokens in any search that you run manually for findings. For example, using the notable
macro, you can see the finding displayed in the same way as on the Mission Control page. The expandtoken
search command is intended for use in Splunk Web.
Description
Expand the fields in findings that contain tokens in the values, such as the title rule_name
or description rule_description
of a finding. Tokens automatically expand on the Mission Control page, but not within search.
Syntax
... | expandtoken [field],[field1],[field2]...
Optional argument
field
- Description: The name of a field in the finding that contains a token to expand. Do not specify the name of the token. Specify additional fields separated by commas. If you do not specify a field, all fields are processed for tokens to expand. For a list of example fields in findings, see Using findings in search in the Splunk developer portal.
Usage
The expandtoken
command is a streaming command.
Limitations
The search
command does not support token delimiters in the middle of a field name.
If you have tokens dependent on the expansion of other tokens, those tokens might not be reliably expanded because you cannot specify the order in which tokens are expanded. For example, if you have a rule_description: "Brute force access behavior detected from $src$." and a drilldown_name: "See contributing events for $rule_description$", the following search might expand the $src$ token without expanding the $rule_description$ token.
`notable` | expandtoken
Examples
The following examples show usage of the expandtoken
search command in Splunk Web.
Expand tokens for all findings
`notable` | expandtoken rule_title,rule_description,drilldown_name,drilldown_search
Expand tokens for a specific finding
Expand tokens for a specific finding based on the event_id field.
`notable` | where event_id="<event_id>" | expandtoken rule_title,rule_description
Expand tokens for a specific finding based on the short ID field.
`notable` | where notable_xref_id="<short ID>" | expandtoken rule_title,rule_description
See also
For more information about using tokens in Splunk Enterprise Security, see the product documentation:
Token usage in dashboards in the Splunk Enterprise Dashboards and Visualizations Manual.
Display annotations for findings and investigations in Splunk Enterprise Security | Create finding groups in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!