https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375590#M3745 <P>I'm working on creating new notable events in Enterprise Security. In the notable event alert action, I'm trying to add field values to the title so that it's easier for analysts to differentiate alerts on the Incident Review dashboard. I've noticed that when the field name <EM>does not</EM> contain spaces, I can just reference the field name using its token, e.g. <CODE>Excessive failed logins from $src_ip$</CODE>, and it works fine. The notable event will pop into the Incident Review dashboard with the expected title of, "Excessive failed logins from 123.456.789.0"</P> <P>However, some of my searches have renames at the end, like <CODE>rename src_ip as "Source IP"</CODE>. I can't seem to get the Incident Review dashboard to display the field value when the field name contains spaces. What's the correct syntax to reference a token where the field name contains spaces in it?</P> <P>An obvious workaround would be to remove the renames so that none of the field names contain spaces, but if referencing them with spaces is possible, I would like to know how. I was unable to find an answer in the documentation or online.</P> Fri, 04 May 2018 19:59:55 GMT masonmorales 2018-05-04T19:59:55Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375590#M3745 <P>I'm working on creating new notable events in Enterprise Security. In the notable event alert action, I'm trying to add field values to the title so that it's easier for analysts to differentiate alerts on the Incident Review dashboard. I've noticed that when the field name <EM>does not</EM> contain spaces, I can just reference the field name using its token, e.g. <CODE>Excessive failed logins from $src_ip$</CODE>, and it works fine. The notable event will pop into the Incident Review dashboard with the expected title of, "Excessive failed logins from 123.456.789.0"</P> <P>However, some of my searches have renames at the end, like <CODE>rename src_ip as "Source IP"</CODE>. I can't seem to get the Incident Review dashboard to display the field value when the field name contains spaces. What's the correct syntax to reference a token where the field name contains spaces in it?</P> <P>An obvious workaround would be to remove the renames so that none of the field names contain spaces, but if referencing them with spaces is possible, I would like to know how. I was unable to find an answer in the documentation or online.</P> Fri, 04 May 2018 19:59:55 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375590#M3745 masonmorales 2018-05-04T19:59:55Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375591#M3746 <P>I'd suggest removing the renames and then use the incident review settings page to provide user-facing names for the custom fields. <A href="http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details">http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details</A></P> Fri, 04 May 2018 20:07:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375591#M3746 smoir_splunk 2018-05-04T20:07:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375592#M3747 <P>Accepted as this is what I ended up doing. </P> Fri, 11 May 2018 00:20:06 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375592#M3747 masonmorales 2018-05-11T00:20:06Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375593#M3748 <P>Sorry I didn't have an SPL workaround for you, mason <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Fri, 11 May 2018 00:21:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-reference-a-token-name-with-spaces-in-it-for-notable/m-p/375593#M3748 smoir_splunk 2018-05-11T00:21:39Z