Ftrsec

Useful Splunk commands – Cheatsheets

Check last triggered of each rule

				
					| rest /servicesNS/-/-/saved/searches 
| regex title = "$REGEX_to_match_your_rules_standard" 
| search disabled=0 request.ui_dispatch_app="$YOUR_RULES_APP"
| rename title as ss_name
| join type=left
    [ search index=_audit action=alert_fired ss_app="$YOUR_RULES_APP"
    | stats latest(trigger_time) as lt by ss_name
    | fields ss_name,lt] 
| eval Triggered_time=strftime(lt, "%d/%m/%Y %I:%M:%S %p")
| eval Triggered_time=if(isnull(Triggered_time), "Not Triggered", Triggered_time)
| eval Status=if(Triggered_time=="Not Triggered", "Not Triggered", "Triggered")
| table ss_name, Triggered_time, Status, search
				
			

Laisser un commentaire