Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Re: Creating a notable event from correlation sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Im using the below search and wish to create a notable event from the search. (filtered to not show company info)
sourcetype=DhcpSrvLog description=assign dest!=prefix1* prefix2* dest_ip!=x.x.x.x/20 dest_ip!=x.x.x.x/21 | rex mode=sed field=dest "s/.companydomain.com//g" | where dest!=dest_mac | table dest,dest_ip,dest_mac,time,date | sort date
When I search manually over last 24 hours I get results, however no notable events are created. Does the correlation search syntax need to be in a certain format to generate the notable event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The correlation search does need to be in a particular format (needs to make an event in the notable index and have particular fields). I suggest using the Correlation Search Editor to make it (Configuration » Custom Searches) since it will handle the particulars for you. Make sure to enable the "Create notable event" action so that the search creates a notable event for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Luke,
I am also trying to create some custom correlation searches and notables from my daily reports.
Steps I followed to make this:
1. In ES ==> ES ==> Configure ==> Content Mgmt ==> Create New Content ==> Correlation Searches
2. While creating the correlation searches, I added the name of the new notable (assuming that this would create new notable) and scheduled and saved it.
The query runs fine and gives the output in tabular format. Its creating the notables but I am not able to see the contributing events/error event.
As you mentioned above, could you advise on the format needed to make an event in the notable index and have particular fields.
Also, I am unable to find Correlation Search Editor to make it (Configuration » Custom Searches)
Kindly advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created the notable events in the Configure==> Incident events as well. Still unable to see the contributing events in incidents.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hadn't named the Drill-down search while creating the notable. Once it was updated, the contributing events started showing up as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The correlation search does need to be in a particular format (needs to make an event in the notable index and have particular fields). I suggest using the Correlation Search Editor to make it (Configuration » Custom Searches) since it will handle the particulars for you. Make sure to enable the "Create notable event" action so that the search creates a notable event for you.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
