Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to search source event based on the correlatio...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search source event based on the correlation search.
For example.
I make a correlation search like:
|from datamodel:"Intrusion_Detection"
|eval type=signature+src+dest+dvc
|where severity="high"
|eval status_group="threat"
|stats latest(_time) as _time,values(host) as host,values(id) as id,values(severity) as severity,values(signature) as signature,values(src) as src,values(dest) as dest,values(dvc) as dvc,values(status) as status,values(status_group) as status_group,values(owner) as owner,values(governance) as governance,values(control) as control,values(action) as action count by type
|fillnull value="unknown" src,dest,dvc,governance,control,status,owner,status_group,host,action,user
|where count>10
| table _time,host,severity,signature,src,dest,dvc,status,status_group,owner,governance,control,count,action,id
And now, I want to find the original events of this correlation search. maybe like:
2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:57:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:33:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:20:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:43:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:48:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:47:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:59:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:50:00,172.18.1.1,critical,SQL Injection,10.0.0.2*
How can I do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your drill down search you can use the source event values by referencing the field name wrapped in $ - for example, if you want to search by the src field value from the notable event your drill down search criteria would include src=$src$.
I believe the values that you want to reference have to be defined in the Enterprise Security Configuration: "Incident Review Settings" -> "Incident Review - Event Attributes" table, and remember if you're using a datamodel in your correlation search that you have to remove the datamodel object name from the field names in that correlation search, for example:
| rename IDS_Attacks.* as *
.. or the built in macro drop_dm_object_name:
| `drop_dm_object_name("IDS_Attacks")`
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
