splunksplunk-query

Questions related to splunk builtin macros in correlation search


I am not sure if this is the appropriate forum to ask this question, but really need help and I am stuck. So here goes : I am exploring splunk enterprise security and was specifically looking into analytic stories and correlation searches. For example : Analytic story : Trickbot
Correlation search : Attempt to stop security service

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR  Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|lookup security_services_lookup service as process OUTPUTNEW category, description 
| search category=security 
| `attempt_to_stop_security_service_filter`

I am trying to understand what exactly this code is doing, but stuck at these macros like security_content_summariesonly, drop_dm_object_name, security_content_ctime, attempt_to_stop_security_service_filter. I can't find definitions for these macros anywhere. I have tried to look into -> settings -> advance search -> macros, but these are not listed there.
Can somebody help ?


Solution

  • If you have access to the host(s) Splunk's running on, you can find the definitions in $SPLUNK_HOME$/etc/*/macros.conf

    If you don't have that access, then it's possible you don't have permissions to see the definitions of those macros

    However, you can always use the Job Inspector to see how Splunk translates what you type into what it runs