Field extractions for Splunk

For Incident Response to understand events from Splunk, Incident Response requires specific fields to be extracted for any source in Splunk.

Field extractions

Configure the following Field Extractions:
  • event_source: Identifier of the event source such as IP/FQDN, MAC address, node name.
  • event_resource_name: Name of the resource such as Disc, CPU.
  • severity: Severity of the event. The severity value should be between 1 to 5, where 1 is the highest and 5 is the lowest severity level.
  • event_type: Type of the event.
  • event_metric_name: Name of the metric for the alert.
  • event_message: Short description of the event or alert.
{
 "result": {
 "_sourcetype": "Test Splunk Error",
 "severity": "WARN",
 "_indextime": "1616430477",
 "event_resource_name": "MEMRED.ubuntu.12323",
 "source": "Test Splunk Error",
 "index": "main",
 "splunk_server_group": "",
 "eventtype": "",
 "date_zone": "local",
 "date_hour": "12",
 "_cd": "185:8",
 "date_wday": "wednesday",
 "sourcetype": "Test Splunk Error",
 "timeendpos": "47",
 "date_month": "may",
 "event_source": "A01SDED",
 "_raw": "nova-compute.log.2017-05-17_12:02:35 2017-05-17 12:01:25.139 2931 severity=WARN event_source=A01SDED,nova.virt.libvirt.imagecache,event_type=healthreport,event_resource_name=MEMRED.ubuntu.12323,event_metric_name=CPU Utilization,event_message=99% of RAM memory is used",
 "_serial": "0",
 "date_year": "2017",
 "date_second": "35",
 "_time": "1495022555",
 "_kv": "1",
 "punct": "-..--::_--_::.__=_=,...,=,=..,=_,=%_____",
 "linecount": "1",
 "date_minute": "2",
 "date_mday": "17",
 "event_message": "Test Splunk: 99% of RAM memory is used",
 "tag": "",
 "_bkt": "main~185~41B1F074-0652-444D-B530-6B5B1230CFA7",
 "_si": [
 "ip-172-10-3-163.us-east-2.compute.internal",
 "main"
 ],
 "_eventtype_color": "",
 "splunk_server": "ip-172-10-3-163.us-east-2.compute.internal",
 "host": "127.0.0.1",
 "tag::eventtype": "",
 "event_metric_name": "CPU Utilization",
 "timestartpos": "28",
 "event_type": "healthreport"
 },
 "sid": "scheduler__airadmin__search__AllAIR_at_1616499720_69545",
 "owner": "airadmin",
 "search_name": "AllAIR",
 "results_link": "http://ip-172-10-3-163.us-east-2.compute.internal:8000/app/search/@go?sid=scheduler__airadmin__search__AllAIR_at_1616499720_69545",
 "app": "search"
}
You can change the default hostname for generating URLs in outgoing notifications (example: results_link in the sample payload). To change the hostname, perform the following steps:
  • Navigate to Splunk > Settings.
  • Under SYSTEMS, click Server settings.
  • On the Server settings page, click Email settings.
  • Under the Email Format section, in the Link hostname field, enter the hostname.