Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- ES notable urgency changing for old notables.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have correlation search with action as notable. Initially we made it low Severity on notable to monitor and set threshold . when we changed the severity to high for same notable all the old low severity notable events changed to High automatically. (this search is on data model so dose not have any eval urgency in search).
How to avoid changing old notable event severity ? we just want new alerts to be with high urgency not change the old once.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is expected behavior as ES stores a correlation search's notable event severity in lookup table (correlationsearches_lookup) so the severity gets changed for all.
Use SPL in the correlation search to assign severity:
https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned
"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."
If you just want all new notables from this use case to be high (and not old ones) just use a an eval. Or you can expand on the eval to custom adjust the severity:
| eval severity="high"
Even if you're using the datamodel command or tstats against a data model, you can still fit this in a pipe somewhere without affecting the searching
tstats count something FROM someDataModel by somethingElse
| where other stuff and magic
| eval severity="high"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Notable modular alerts actions values are not written to index=notable. To display severity or priority or urgency, Incident review will perform rest query to get values of correlation search and display in Incident review.
However, I believe there is an option to overwrite severity from in-line search of correlation search.
just add below line to your correlation search.
| eval severity="informational/high/low"
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is expected behavior as ES stores a correlation search's notable event severity in lookup table (correlationsearches_lookup) so the severity gets changed for all.
Use SPL in the correlation search to assign severity:
https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned
"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."
If you just want all new notables from this use case to be high (and not old ones) just use a an eval. Or you can expand on the eval to custom adjust the severity:
| eval severity="high"
Even if you're using the datamodel command or tstats against a data model, you can still fit this in a pipe somewhere without affecting the searching
tstats count something FROM someDataModel by somethingElse
| where other stuff and magic
| eval severity="high"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this reply helps you, Karma would be appreciated.
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
September Community Champions: A Shoutout to Our Contributors!
