topic Manual Notable Tittle in Splunk Enterprise Security

Manual Notable Tittle

prashanthberam — Thu, 16 Jul 2020 14:11:14 GMT

I was trying to create a manual notable event using "sendalert notable". But the name of the notable is coming as "Manual Notable Event- Rule". How can I name the notable to exactly what I want?
Please note that I want to create the notable through sendalert only.

Re: Manual Notable Tittle

glados — Tue, 13 Apr 2021 16:25:42 GMT

Did you ever find a solution? I am wondering the same thing. I see that we can control certain fields such as urgency via the sendalert notable command but the name/title field is eluding me.

Re: Manual Notable Tittle

ericjorgensenjr — Tue, 13 Apr 2021 16:58:58 GMT

I'm not sure that this is possible without modifying the underlying alert action or cloning it and creating a modified version.

However, there is a workaround that can provide similar functionality without using an alert action:

| makeresults | eval somefield="Some text", search_name="SearchName", source=search_name | collect index=notable source="SearchName"