Splunk Enterprise Security

Access Notable event_id from an correlated search event

othmanexd
New Member

Since a notable event is generated from a correlated search event, is there a way to output the notable event "event_id" from the correlated search event? I have a use case where I need to update notable event fields that's associated with a specific correlated search event.

Labels (2)
0 Karma

triest
Communicator

I'm not completely positive what you are trying to do, so my apologies if this doesn't help you.

When searching the notable index which is where notable events that are generated from correlation searches, you can use a macro called  get_event_id_meval to create a field called even_id that will have the proper event id.

index=notable
| eval `get_event_id_meval`

From a correlation search you can't access the event id because if you expand that macro you you will see that it uses the bucket and _time (also _raw but that could you know in a correlation search) so you have to actually let the summary indexing happen and the event be written to the notable index.  That's also why searching for an event based on the event_id isn't very efficient.  On every search, for every event, it has to re-calculate the event_id.

If you need to search the data from a search head without ES, you can easily run the above search from within ES and then use the macro expansion (ctrl+E on windows; I think option+e on mac) to exapnd the macros.  There's a bit of macros calling macros in the process.

0 Karma

othmanexd
New Member

So what I basically have is an integration between splunk/phantom/servicenow where Splunk forwards correlated search events to phantom using the "Phantom App-on" with the Event forwarding feature and then phantom executes a playbook to create a Servicenow Ticket. What I want to do is update the "comment" field for each Notable Event in ES that is associated with the "Correlated search event" that was pushed from Splunk to phantom with the ticket number that was created. So I'm trying to figure out if there is a shared value that's in both the "Notable event" and "Correlated Search Event" so I can link the two and update the "Notable Event" comments field. Maybe there is a better approach to doing this? 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...