correlation search variable doesn't work in my inc...

gwen · ‎11-17-2023

hello,

i have a correlation search with variable that does'nt work

| stats count by host

| eval hello_world = host

when im looking in incident review, my alerte show $hello_word$ and not my values host.

Can you help me please ?

splunk ver 7.3.5

gwen · ‎11-21-2023

I thank you but I can not share much information because confidential.
It’s better to close the post.
Thanks for your help.
Excuse me for being upset.

gcusello · ‎11-21-2023

Hi @gwen ,

as you like, but masking the information I don't think that you reveal your confidential information.

Anyway, good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gwen · ‎11-17-2023

hello,

index=windows_srv EventCode=20005

| stats count by host

| search count >= 1

| eval server_impacted = host, tentative_number = count

| table server_impacted, tentative_number

and im using $server_impacted$ and $tentative_number$ in my correlation search.

then i see in tittle on my incident review : my message on $server_impacted$ instead my message on windowsservername

gcusello · ‎11-17-2023

Hi @gwen ,

let me understand: what are $server_impacted$ and $tentative_number$?

are they tokens to pass in a drilldown or what else?

Ciao.

Giuseppe

gcusello · ‎11-17-2023

Hi @gwen,

sorry but I don't understand what you mean with variable.

A Correlation Search is an alert, so you canno pass a token to it.

Could you share your complete Correlation Search source code?

Ciao.

Giuseppe

correlation search variable doesn't work in my incident review

alert action

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?