Solved: Add comment field in incident review page.

N92 · ‎04-23-2018

Can I add comment field as table attribute in incident review page. For that what would be field name so I can map it with my custom lable. Where the field name I can find for owner & status also.

smoir_splunk · ‎04-24-2018

http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA will probably help you find information about the comment field, and http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables#Add_a_field_to_the_notable_eve... covers in more detail and more up-to-date how to get an additional field to appear on incident review.

View solution in original post

smoir_splunk · ‎04-24-2018

http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA will probably help you find information about the comment field, and http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables#Add_a_field_to_the_notable_eve... covers in more detail and more up-to-date how to get an additional field to appear on incident review.

ssadanala1 · ‎04-23-2018

Answer for your question is below

https://answers.splunk.com/answers/298999/splunk-app-for-enterprise-security-how-to-add-addi.html

N92 · ‎04-23-2018

Still, I don't find the field name for comment label. Thanks for your answer I understand how to add new field.

Add comment field in incident review page.

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?