Re: Write an HTML View for cases

Keith_Allen · 08-16-2022 08:04 AM

Hey folks. I'm trying to write an HTML View for cases (data is coming in from Splunk). And I'm running into a problem.

If a case has a single event then the entity I might reference would look like this:

In which case the string in the "description" field of my Splunk alert is shown without issue.

However, if the case has multiple events then the string that is shown is a concatenated list of all of the "description" strings from every event separated by a comma.

I am looking for an entity name that always shows up for that data and is always just the first event.

I've seen at times. But that only seems to show up if there are multiple events (or maybe for multivalue fields?)

Are there any resources for understanding how Siemplify makes entities related to Splunk events?

Gabriel_Munits1

Hello @Keith_Allen
so if i understand properly - you are looking for a placeholder, that can always help you and find only the entity name, to be shown properly in the widget you are writing.

eventually, that's a very valid pain point that we are trying to resolve these days, but until that point in time, you can have an "if" in the code, to see if you have a single item in the events, or multiple items, and in every case - use to correct one.

in case you are using the default mapping provided with our integration, i might be able to help further, but i'm guessing your mapping is a little bit different and thus it really depends on it.

Please let me know if you have additional questions.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Write an HTML View for cases

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps