Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a notable event from correlation search

shiftey
Path Finder
‎05-27-2015 05:20 PM

Hi
Im using the below search and wish to create a notable event from the search. (filtered to not show company info)

sourcetype=DhcpSrvLog description=assign dest!=prefix1* prefix2* dest_ip!=x.x.x.x/20 dest_ip!=x.x.x.x/21 | rex mode=sed field=dest "s/.companydomain.com//g" | where dest!=dest_mac | table dest,dest_ip,dest_mac,time,date | sort date

When I search manually over last 24 hours I get results, however no notable events are created. Does the correlation search syntax need to be in a certain format to generate the notable event?

Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎05-27-2015 08:37 PM

The correlation search does need to be in a particular format (needs to make an event in the notable index and have particular fields). I suggest using the Correlation Search Editor to make it (Configuration » Custom Searches) since it will handle the particulars for you. Make sure to enable the "Create notable event" action so that the search creates a notable event for you.

View solution in original post

Reply
Solved! Jump to solution

kamal_jagga
Contributor
‎11-20-2018 04:44 PM

Hi Luke,

I am also trying to create some custom correlation searches and notables from my daily reports.

Steps I followed to make this:
1. In ES ==> ES ==> Configure ==> Content Mgmt ==> Create New Content ==> Correlation Searches
2. While creating the correlation searches, I added the name of the new notable (assuming that this would create new notable) and scheduled and saved it.

The query runs fine and gives the output in tabular format. Its creating the notables but I am not able to see the contributing events/error event.

As you mentioned above, could you advise on the format needed to make an event in the notable index and have particular fields.

Also, I am unable to find Correlation Search Editor to make it (Configuration » Custom Searches)

Kindly advise.

0 Karma
Reply
Solved! Jump to solution

kamal_jagga
Contributor
‎11-22-2018 08:50 AM

I created the notable events in the Configure==> Incident events as well. Still unable to see the contributing events in incidents.

Reply
Solved! Jump to solution

kamal_jagga
Contributor
‎01-06-2019 01:43 PM

I hadn't named the Drill-down search while creating the notable. Once it was updated, the contributing events started showing up as expected.

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎05-27-2015 08:37 PM

The correlation search does need to be in a particular format (needs to make an event in the notable index and have particular fields). I suggest using the Correlation Search Editor to make it (Configuration » Custom Searches) since it will handle the particulars for you. Make sure to enable the "Create notable event" action so that the search creates a notable event for you.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...