Add custom fields to Splunk Security Essentials
As a third-party developer, it might be helpful to provide users with details about your company. You can create custom fields, such as name and description, so that users can see that content. Here is an example of added custom fields and how they appear in the code:
{
"company_description": "Buttercup Labs is the premier distributor of Pony-related security analytics. We have been protecting organizations from bad ponies for over 10 years now.\n\\n\\n\nEnjoy our freely available content for detecting bad ponies in your environment, and reach out to us for a demo or trial license of our premium Pony Detection app!\n\\n\\n\nHave you successfully found bad ponies in your own environment? Buttercup Labs is hiring! We are a wholly owned subsidiary of Buttercup Games.",
"company_link": "http://buttercupgames.com/",
"company_logo": "https://image.slidesharecdn.com/splunklivesfhowtoalignyourdailysplunkactivitiesbreakoutsession-160317192319/95/how-to-align-your-daily-splunk-activities-breakout-session-23-638.jpg?cb=1458242654",
"company_logo_height": 250,
"company_logo_width": 444,
"company_name": "Buttercup Labs"
}
Use included hard-coded fields
Splunk Security Essentials (SSE) includes the following hard-coded fields:
- Search
- Known False Positives
- How to Implement
- How to Respond
- Help
- Company Information
All of these fields appear as dedicated accordions on the Custom Content page. If you need additional categories, you can define those categories in the additional_context file, which is an array of objects. Each object shows up as a new accordion in the UI and contains up to five of the following fields:
| Field name | Description |
|---|---|
| title | Use this field to name the accordion. If left empty, the title defaults to "Additional Context." This field is text-only. |
| open_panel | Use this field to determine whether the accordion is open by default. Set it to true or false. |
| detail | Use this field for an optional Markdown text block. |
| link | Use this field for an optional URL users can follow to learn more. When filled, a button appears with the label Learn More.... |
| search_label | Use this field to label the search immediately before the pre tag. If left empty, the label defaults to "Search." This field is text-only.
|
| search_lang | Use this field to define what language the code is in. If you're using Splunk Search Processing Language (SPL), you can leave this field blank or provide the information as conf if you want to print file options. If you need to print options like Python, the default languages for highlight.js are supported. Valid options include properties, Python, Rust, Less, Perl, diff, SCSS, Bash, Shell, Makefile, JSON, INI, HTTP, CoffeeScript, CSS, Objective C, Ruby, YAML, Java, SQL, Apache, Kotlin, XML, Markdown, Swift, Plaintext, TypeScript, NGINX, Go, Javascript, PHP, CS, Lua, and CPP. |
| search | Use this field for SPL or any other raw code. |
The following code is an example of how to implement the search field:
{
"additional_context": [
{
"search": "index=* sourcetype=ponies",
"open_panel": true,
"title": "Additional Potential Search",
"link": "https://www.splunk.com/blog/2016/09/28/buttercup-games.html",
"detail": "### Background\n* You might want to look at all data regarding ponies.\n* Here you can find all of the detail produced by Buttercup Labs Pony Monitoring."
},
{
"title": "Conf file for Adding a New SSE Channel",
"search": "[ButtercupLabs]\nchannel=ButtercupLabs\nname=Buttercup Labs\ndescription=Buttercup Labs produces high-quality security analytics run through the Splunk platform. While Buttercup sells a commercial threat analytics app, they have also released a variety of community content. All is available through Splunk Security Essentials.\ntype=app\napp_context=Splunk_Security_Essentials\ncontent_download_url=https://go.splunksecurityessentials.com/myContentLocation",
"detail": "Adding this file and restarting Splunk registers a new content source into SSE.",
"search_lang": "conf",
"search_label": "Example Configuration",
"open_panel": true
}
]
}
If you're using SPL, an Open In Search button appears below the following code:
if(additional_context[num].search){
output += $("<div>").append($("<pre>").attr("class", "search").append($("<code>").attr("class", lang).text(obj.search))).html()
}
Last modified on 20 January, 2023
| Integrate third-party content in Splunk Security Essentials | Best practices for integrating content with Splunk Security Essentials |
This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1
Download manual
Feedback submitted, thanks!