Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

ES notable urgency changing for old notables.

AK007
Engager
‎08-27-2020 07:36 AM

Hi, 

We have correlation search with action as notable. Initially we made it low Severity on notable to monitor and set threshold . when we changed the severity to high for same notable all the old low severity notable events changed to High automatically.  (this search is on data model so dose not have any eval urgency in search).

How to avoid changing old notable event severity  ? we just want new alerts to be with high urgency not change the old once. 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jhunter
Explorer
‎08-29-2020 05:17 PM

This is expected behavior as ES stores a correlation search's notable event severity in lookup table (correlationsearches_lookup) so the severity gets changed for all.


Use SPL in the correlation search to assign severity:

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

If you just want all new notables from this use case to be high (and not old ones) just use a an eval. Or you can expand on the eval to custom adjust the severity:

| eval severity="high"

Even if you're using the datamodel command or tstats against a data model, you can still fit this in a pipe somewhere without affecting the searching

tstats count something FROM someDataModel by somethingElse 
| where other stuff and magic
| eval severity="high"

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-29-2020 11:49 PM

Notable modular alerts actions values are not written to index=notable. To display severity or priority or urgency, Incident review will perform rest query to get values of correlation search and display in Incident review.

However, I believe there is an option to overwrite severity from in-line search of correlation search.

just add below line to your correlation search.

| eval severity="informational/high/low"

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution
Solution

Jhunter
Explorer
‎08-29-2020 05:17 PM

This is expected behavior as ES stores a correlation search's notable event severity in lookup table (correlationsearches_lookup) so the severity gets changed for all.


Use SPL in the correlation search to assign severity:

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

If you just want all new notables from this use case to be high (and not old ones) just use a an eval. Or you can expand on the eval to custom adjust the severity:

| eval severity="high"

Even if you're using the datamodel command or tstats against a data model, you can still fit this in a pipe somewhere without affecting the searching

tstats count something FROM someDataModel by somethingElse 
| where other stuff and magic
| eval severity="high"

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-28-2020 06:16 AM
AFAIK, that's how ES functions and there's no way to change it.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...