https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669343#M15512 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262200">@gwen</a>&nbsp;,</P><P>as you like, but masking the information I don't think that you reveal your confidential information.</P><P>Anyway,&nbsp;good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 21 Nov 2023 15:02:47 GMT gcusello 2023-11-21T15:02:47Z https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/668986#M15504 <P>hello,</P><P>i have a correlation search with variable that does'nt work</P><P><STRONG>| stats count by host</STRONG></P><P><STRONG>| eval hello_world = host</STRONG></P><P>when im looking in incident review, my alerte show $hello_word$ and not my values host.</P><P>Can you help me please ?</P><P>splunk ver 7.3.5</P> Fri, 17 Nov 2023 10:53:42 GMT https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/668986#M15504 gwen 2023-11-17T10:53:42Z https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/668992#M15505 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262200">@gwen</a>,</P><P>sorry but I don't understand what you mean with variable.</P><P>A Correlation Search is an alert, so you canno pass a token to it.</P><P>Could you share your complete Correlation Search source code?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Nov 2023 11:30:55 GMT https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/668992#M15505 gcusello 2023-11-17T11:30:55Z https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669001#M15506 <P>hello,</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=windows_srv EventCode=20005 | stats count by host | search count &gt;= 1 | eval server_impacted = host, tentative_number = count | table server_impacted, tentative_number</LI-CODE> <P>&nbsp;</P> <P>and im using $server_impacted$ and $tentative_number$ in my correlation search.</P> <P>&nbsp;</P> <P>then i see in tittle on my incident review <STRONG>: my message on <U>$server_impacted$ </U></STRONG>instead <STRONG>my message on windowsservername</STRONG></P> Fri, 17 Nov 2023 13:06:12 GMT https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669001#M15506 gwen 2023-11-17T13:06:12Z https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669006#M15507 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262200">@gwen</a>&nbsp;,</P><P>let me understand: what are&nbsp;<SPAN>$server_impacted$ and $tentative_number$?</SPAN></P><P><SPAN>are they tokens to pass in a drilldown or what else?</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Fri, 17 Nov 2023 12:59:58 GMT https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669006#M15507 gcusello 2023-11-17T12:59:58Z https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669341#M15511 <P>I thank you but I can not share much information because confidential.<BR />It’s better to close the post.<BR />Thanks for your help.<BR />Excuse me for being upset.</P> Tue, 21 Nov 2023 14:59:38 GMT https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669341#M15511 gwen 2023-11-21T14:59:38Z https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669343#M15512 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262200">@gwen</a>&nbsp;,</P><P>as you like, but masking the information I don't think that you reveal your confidential information.</P><P>Anyway,&nbsp;good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 21 Nov 2023 15:02:47 GMT https://community.splunk.com/t5/Alerting/correlation-search-variable-doesn-t-work-in-my-incident-review/m-p/669343#M15512 gcusello 2023-11-21T15:02:47Z