mcm · June 12, 2020 14:06
diff --git a/gistfile1.txt b/gistfile1.txt
 | rest splunk_server=local /services/alerts/suppressions | table title author search disabled description updated
 | rex field=search max_match=100 "\s(?!source)(?P<fields>(\w+))(=|>|<)"
 | stats values(fields) as fields by title author search disabled description updated
 | rex field=search max_match=2 "_time(\<|\>|\=).(?P<time_fields>.[^\s]+)"
 | rex field=search max_match=2 "_time(?P<time_comparators>.[^\d+]*)"
 | eval multi_times=if(mvcount(time_fields) > 1, "True", "False")
 | eval start_time=mvindex(time_fields, 0)
 | eval end_time=mvindex(time_fields, 1)
 | fillnull start_time, end_time value="0"
 | fillnull time_comparators value="-"
 | eval duration=if(start_time!=0 AND end_time!=0, (end_time-start_time)/86400, 0)
 | eval type=case(mvcount(time_comparators) == 2 AND like(time_comparators, "%>%") AND like(time_comparators, "%<%"), "Start and End Times", like(time_comparators, "%>%") AND NOT like(time_comparators, "%<%"), "Permanent", like(time_comparators, "%<%"), "End Time", time_comparators="-", "Permanent", 1=1, "-")
 | eval field_count=mvcount(fields) | fillnull field_count value="0"
 | fields title, author, search, type, duration, field_count, disabled description updated
 | search type="Permanent" OR duration > 7 OR field_count<=1 NOT ([inputlookup known_suppressions.csv | table title] OR [inputlookup allowed_suppression_authors.csv | table author])
 | eval alert_reason=case(type=="Permanent", "No End Time Found In Search.", duration >7, "Extends longer than a week.", field_count<=1, "Has Only One Field.", 1=1, "-")
 | join title type=outer [
 search index=_audit action=edit_suppressions operation=create earliest="-30d" latest="now" | rex field=_raw "object=\"(?<title>.+)\"" | eval created_at = _time | stats latest(created_at) as created_at by title]
 | outputlookup append=t known_suppressions.csv
 | table title, description alert_reason, author, search, disabled created_at
 | eval message="Permanent suppression was created by ".author
	\| rest splunk_server=local /services/alerts/suppressions \| table title author search disabled description updated
	\| rex field=search max_match=100 "\s(?!source)(?P<fields>(\w+))(=\|>\|<)"
	\| stats values(fields) as fields by title author search disabled description updated
	\| rex field=search max_match=2 "_time(\<\|\>\|\=).(?P<time_fields>.[^\s]+)"
	\| rex field=search max_match=2 "_time(?P<time_comparators>.[^\d+]*)"
	\| eval multi_times=if(mvcount(time_fields) > 1, "True", "False")
	\| eval start_time=mvindex(time_fields, 0)
	\| eval end_time=mvindex(time_fields, 1)
	\| fillnull start_time, end_time value="0"
	\| fillnull time_comparators value="-"
	\| eval duration=if(start_time!=0 AND end_time!=0, (end_time-start_time)/86400, 0)
	\| eval type=case(mvcount(time_comparators) == 2 AND like(time_comparators, "%>%") AND like(time_comparators, "%<%"), "Start and End Times", like(time_comparators, "%>%") AND NOT like(time_comparators, "%<%"), "Permanent", like(time_comparators, "%<%"), "End Time", time_comparators="-", "Permanent", 1=1, "-")
	\| eval field_count=mvcount(fields) \| fillnull field_count value="0"
	\| fields title, author, search, type, duration, field_count, disabled description updated
	\| search type="Permanent" OR duration > 7 OR field_count<=1 NOT ([inputlookup known_suppressions.csv \| table title] OR [inputlookup allowed_suppression_authors.csv \| table author])
	\| eval alert_reason=case(type=="Permanent", "No End Time Found In Search.", duration >7, "Extends longer than a week.", field_count<=1, "Has Only One Field.", 1=1, "-")
	\| join title type=outer [
	search index=_audit action=edit_suppressions operation=create earliest="-30d" latest="now" \| rex field=_raw "object=\"(?<title>.+)\"" \| eval created_at = _time \| stats latest(created_at) as created_at by title]
	\| outputlookup append=t known_suppressions.csv
	\| table title, description alert_reason, author, search, disabled created_at
	\| eval message="Permanent suppression was created by ".author