# Getting Started

## Installation
Download the Octamis XBaseD application from Splunkbase.
The Octamis XBaseD app contains search-time functionality, such as dashboards, saved searches, macros, and lookups, and need to be installed on your search heads. For more details on how to install the app in your environment, please refer to the official Splunk [Installing Add-ons](https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons) documentation 

## Configuration
No specific configuration is required for the Octamis XBaseD

## Exploration
Discover the dashboards and start analyzing your data.
Support and Documentation
No other specific documentation than this file, or support, is provided.

## xbased_drilldown_searches.csv
An explanation is required regarding the treatment applied to that lookup generator.
Initially, this drilldown searches generator was designed to rerun searches based on the risk object chosen in the RBA investigation dashboard. The lookup generator retrieves all activated detections and creates a duplicate in the lookup file xbased_drilldown_searches.csv.
It adds a
```
| search user=REPLACEME OR src=REPLACEME OR dvc=REPLACEME OR dest=REPLACEME 
```
at the end of every detection, in a drilldown_search column.

The principle was to use the risk object token and replace the string "REPLACEME" from that lookup by the token value then the dashboard executes that search.
You then have your original detection reran by the dashboard, and at the end you have the 
```
| search user=REPLACEME OR src=REPLACEME OR dvc=REPLACEME OR dest=REPLACEME
```
appended, and REPLACEME changed by the token value.
This dynamic execution is used on some XBaseD dashboards.

Additional drilldown features for lookup generator
As appending the REPLACEME search at the end of the search is not always efficient, we added some features to that lookup generator.

1) `drilldown_cut` macro
If you use that macro everywhere in you detection SPL, it does nothing to your detection, it's an empty text. 
But the lookup generator will cut the search at this point and then add the REPLACEME part at this point. Doing this, you can simplify/reduce your detection search
to avoid some stats command or commands that are not mandatory for the re-execution.

2) `drilldown_mark(1)` macro
When you use this macro in your detection SPL, it still does nothing to your orignal detection, it's an empty text with one parameter.
But the lookup generator will replace the `drilldown("foo_bar")` by foo_bar="REPLACEME" in the lookup.
This way, you can choose which field is mandatory for you, instead of the user, src, dvc or dest fields by default. And more importantly, you choose where in your SPL !
Chosing where can be important to increase search performance : filtering at the beginning of a search is more efficient than at the end. 
The macro parameter can contain "| search foo_bar": this will be put in drilldown_searches in the lookup as: 
```
| search foo_bar="REPLACEME"
```

3) fixed searches
You can enter a specific search that you don't want to be modified at all. You enter it in the fixed_search column in the xbased_drilldown_searches.csv lookup. 
This way, the lookup generator wil keep your search 'as is' when used in the dashboards.