Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Adaptive Response & Notable Race Condition

ericl42
Path Finder
‎12-11-2019 08:04 AM

We utilize adaptive response rules quite a bit within Splunk and have had quite a bit of success manually running them after the notable event is created.

Recently we have had a few use cases where we want an adaptive response rule to automatically run once the notable event is tripped and then close out the notable. The issue I'm having is that it appears to be some race condition where if I create a correlation rule that has both the action of create a notable and run my adaptive response rule, it's not working.

With my adaptive response action, I normally pull variables from the notable and then auto update it but I'm not sure how to do all of that after the notable is created.

Has anyone doing something along these lines? Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-11-2019 08:48 AM

Hello @ericl42 - there isn't a straightforward way to achieve what you're asking, with the current implementation of alert actions w/in Splunk Enterprise (this is what Adaptive Response is built on top of). Right now, all alert/adaptive response actions attached to a correlation search, run basically simultaneously. This means that things that are search-time constructs like the notable id (aka "rule_id") value that would be used to update the stats of a Notable, doesn't yet exist and is therefore not accessible to other AR actions being run. Your best bet is to set up an external saved search that looks for the "source" value of the notable(s) you want to auto-close, and attach your AR action to that saved search. This should allow you to access the value of "rule_id" from those search results and you can then operate on that notable as you see fit.

View solution in original post

Reply
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-11-2019 08:48 AM

Hello @ericl42 - there isn't a straightforward way to achieve what you're asking, with the current implementation of alert actions w/in Splunk Enterprise (this is what Adaptive Response is built on top of). Right now, all alert/adaptive response actions attached to a correlation search, run basically simultaneously. This means that things that are search-time constructs like the notable id (aka "rule_id") value that would be used to update the stats of a Notable, doesn't yet exist and is therefore not accessible to other AR actions being run. Your best bet is to set up an external saved search that looks for the "source" value of the notable(s) you want to auto-close, and attach your AR action to that saved search. This should allow you to access the value of "rule_id" from those search results and you can then operate on that notable as you see fit.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...