Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Enterprise Security -> Customizing Incident Review -> Adding Short ID

cbschreiber
Explorer
‎04-12-2021 01:32 PM

I'm wanting to add the short ID that one can generate for a notable in IR. 

cbschreiber_1-1618258938697.png

cbschreiber_0-1618258902334.png

To the columns in Incident Review for our SOC to use. 

cbschreiber_2-1618258995741.png

However, I can't find the proper attribute name for this and it's not in the notable index, or in notable_xref_lookup or es_notable_events lookup. 

Hoping someone can tell me what the correct "Short ID" attribute name is.

Also hoping someone can tell me how to force ES to create a Short ID for EVERY notable. 

Thanks in Advance!

 

Labels (1)
Labels
Reply

daventura
Loves-to-Learn Lots
‎01-10-2023 03:52 AM

under incident review settings table attributes enter

 

notable_xref  as the field and Short ID as the title

 

Also you should schedule a search to run every  5 minutes  */5 * * * *

to automatically create the short id's, this is most helpful 

`notable`
| where isnull(notable_xref)
| eval notable_time=_time, xref_label="Short ID", xref_name="short_id", xref_id="V".substr(upper(md5(event_id)), 0, 5)
| table event_id, notable_time, xref_id, xref_label, xref_name
| outputlookup append=t notable_xref_lookup

Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...