I'm creating correlation searches from scratch in the latest version of ES. The search results include fields that don't show up in the notable event (in the incident review dashboard). I'd like these fields to show up in the body of the event when it's expanded using the "view details" link. Correlation searches included out of the box generate notable events that have lots of helpful fields and I'd like to add this type of content to my new correlation searches.
Can anyone tell me how to do that? Haven't seen anything in the documentation.
Thanks!
Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:
At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".
Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...
Will mark this answer correct if testing is successful.
In Splunk 6.4 ES 4.1.1 (and probably earlier versions), you can add fields to the Incident Review Event Attributes by selecting:
From the ES app - Configure > Incident Management > Incident Review Settings
From this window you can view the current IR Event Attributes and add new ones by clicking the "add new entry" button.
I've found this to be a simple and easy to use approach to adding fields to the Incident Review alert.
The answer that mentions editing of notable2.html is no longer valid in recent versions (3.x) of ES. Instead, copy to local and edit log_review.conf, under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/. Place your new field in the log_review.conf file, which should now reside in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local. A restart is not needed.
@jbrodsky
what is the expected format of this? - I haven't found any documentation on this yet.
I have added some field names as their own stanzas, however, it is not generating in Incident Review.
How do you map the field names to the meaningful names (i.e. like the defaults; e.g. dest maps to Destination)?
The format is a list of JSON objects. The "field" attribute is the name of the field in the search, and the "label" is the string used to preface the value.
Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:
At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".
Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...
Will mark this answer correct if testing is successful.