variable substitution for rule_title in notable ev...

mjones414 · ‎02-13-2025

Hello Splunk colleagues!

I'm trying to create a new correlation search that generates a notable event, and uses a field I generate for the title. The title field in the notable indicates I can use variable substitution, and I've verified that the field is being created for every event the correlation search generates. the field is called my_rule_title

In the notable event, I am putting in $my_rule_title$ and when the notable is generated, the rule title on incident review literally says "$my_rule_title$" and not the contents of the field my_rule_title.

what am I doing wrong to get the rule title in incident review to display the value of my_rule_title? the other variable substitutions I'm doing in the correlation search for $description$ and $urgency$ are working as expected, just not the title.

livehybrid · ‎02-13-2025

That is unusual, Ive never had an issue including tokens as you suggested, the only thing I can think of is the underscores - although I have particular idea as to why that would cause an issue - Could you try changing the field name to remove underscores and check to see how it behaves after this?

Just to clarify - when you run the search manually you get the "my_rule_title" field in the results, right?

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

variable substitution for rule_title in notable event is not working

alert action

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!