topic Re: Help creating a table that shows specific notable information in Splunk Enterprise Security

Help creating a table that shows specific notable information

LionWolf — Wed, 20 Apr 2022 16:03:08 GMT

Hello Community,

I'm working on a search for a dashboard panel and I need some help.

I'm looking to get the owner, search_name, status_label, and the last comment.

The search I have so far is below:

`notable`
| where owner =="User1" OR owner=="User2" OR owner=="User3" OR owner=="User4" OR owner=="User5" OR owner=="User6"
| where status_label=="Ready for Review" OR status_label=="Closed: False Positive" OR status_label=="Pending" OR status_label=="Closed: Valid - Remediated"
| stats earliest(owner) AS Analyst, earliest(search_name) AS "Alert Name", latest(status_label) AS Status, latest(comment) AS Summary

Re: Help creating a table that shows specific notable information

ITWhisperer — Wed, 20 Apr 2022 16:14:43 GMT

In what way does this not give you what you have asked for?

Re: Help creating a table that shows specific notable information

LionWolf — Wed, 20 Apr 2022 16:20:24 GMT

Hello ITWhisperer,

I only get one notable event, even for 30 days. I need all of the notable events that have been worked on, and that currently have the status_label of "Ready for Review", "Closed: False Positive", "Pending", "Closed: Valid - Remediated"

I thought this search should have returned the results I needed but it isn't.

Re: Help creating a table that shows specific notable information

ITWhisperer — Wed, 20 Apr 2022 16:24:15 GMT

The stats command is giving you a single result for the whole search - perhaps you need to use a BY clause?

Re: Help creating a table that shows specific notable information

LionWolf — Wed, 20 Apr 2022 16:30:53 GMT

The by clause worked! Thank you so much!