Processing pipeline using the query postprocessing and output finalization transformations to create a custom Splunk savedsearches.conf output with Sigma CLI

splunk-savedsearches-concat.yml

postprocessing:
- type: template
  template: |+
    [{{ rule.id }}]
    search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events
    description = {{ rule.description }}

finalizers:
- type: concat
  prefix: |
    [default]
    cron_schedule = */15 * * * *
    dispatch.earliest_time = -20m@m
    dispatch.latest_time = -5m@m

splunk-savedsearches-template.yml

postprocessing:
- type: template
  template: |+
    [{{ rule.id }}]
    search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events
    description = {{ rule.description }}

finalizers:
- type: template
  template: |
    [default]
    cron_schedule = */15 * * * *
    dispatch.earliest_time = -20m@m
    dispatch.latest_time = -5m@m

    {{ queries | join('\n') }}