This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Rawabdeh
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Rawabdeh
10-11-2021
6Posts
0Likes
0Solutions
Oct 11, 2021Last Visited
User
Activity
User
Profile
Latest posts by Rawabdeh
| Subject | Views | Posted |
|---|---|---|
| 2980 | 10-06-2021 08:06 AM | |
| 2992 | 10-06-2021 07:36 AM | |
| 3028 | 10-06-2021 04:59 AM | |
| 3212 | 10-05-2021 07:13 AM | |
| 3265 | 10-03-2021 01:59 AM |
User Badges
Community Statistics
| Member Since | 06-01-2020 06:05 AM |
| Date Last Visited | 10-11-2021 10:02 AM |
| Posts | 6 |
10-06-2021
08:06 AM
I have just created 4 fields and mapped their values to drill down details and it's working fine. I know this isn't the best practice to create custom fields for each alert coming from Splunk. This was only for testing purposes. I can confirm that this isn't related to drill down fetching or mapping. issue is narrowed down to context display i believe.
... View more
10-06-2021
07:36 AM
That's what I've been trying to find out. the only changes I've made are on playbook inputs and classification. I have no idea how context parsing started behaving like this
... View more
10-06-2021
04:59 AM
@ABurt This is exactly what's happening, context is not picking up this exact JSON parser. Drill down is coming under label as shown in this screenshot Here i say it again, it was all parsed before and i built my playbooks based on these values.
... View more
10-05-2021
07:13 AM
Thank you for your contribution @ABurt Actually drill down is supposed to look like the first screenshot (I'm using it in my playbooks as Drilldown.[0].Country.[0] >> maps to: Saudi Arabia in the first screenshot) I have tried checking that box you mentioned and indeed, it stopped throwing all JSON details under incident.labels and I was able to use the custom field (mapped with drilldown values) I created. But that means I have to create a field for each value in each alert coming from Splunk and i don't think that's a feasible solution. What's confusing me is that context had drill down parsed just the way it's seen in mapper and I built my playbooks based on this format. Out of nowhere it noticed empty data in sub-playbooks and found out about this issue. No changes were applied on any account
... View more
10-03-2021
01:59 AM
@Strunce thank you for your reply. This video discusses splitting data at classifier level, but I have that already applied in my classifier & mapper as per the above screenshots. No transformations are present within my classifier or mapper. I just created a complete new account with fresh installation and integration with a totally different Splunk instance and the same issue persists. Do you happen to know how data is filled into context and what controls this process? should I dig into automations for pre-processing rules?
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks