- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Access Notable event_id from an correlated sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access Notable event_id from an correlated search event
Since a notable event is generated from a correlated search event, is there a way to output the notable event "event_id" from the correlated search event? I have a use case where I need to update notable event fields that's associated with a specific correlated search event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not completely positive what you are trying to do, so my apologies if this doesn't help you.
When searching the notable index which is where notable events that are generated from correlation searches, you can use a macro called get_event_id_meval to create a field called even_id that will have the proper event id.
index=notable
| eval `get_event_id_meval`From a correlation search you can't access the event id because if you expand that macro you you will see that it uses the bucket and _time (also _raw but that could you know in a correlation search) so you have to actually let the summary indexing happen and the event be written to the notable index. That's also why searching for an event based on the event_id isn't very efficient. On every search, for every event, it has to re-calculate the event_id.
If you need to search the data from a search head without ES, you can easily run the above search from within ES and then use the macro expansion (ctrl+E on windows; I think option+e on mac) to exapnd the macros. There's a bit of macros calling macros in the process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what I basically have is an integration between splunk/phantom/servicenow where Splunk forwards correlated search events to phantom using the "Phantom App-on" with the Event forwarding feature and then phantom executes a playbook to create a Servicenow Ticket. What I want to do is update the "comment" field for each Notable Event in ES that is associated with the "Correlated search event" that was pushed from Splunk to phantom with the ticket number that was created. So I'm trying to figure out if there is a shared value that's in both the "Notable event" and "Correlated Search Event" so I can link the two and update the "Notable Event" comments field. Maybe there is a better approach to doing this?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
