Splunk Enterprise Security

Edit name of notable event

Builder

I have this search:
| metadata type=hosts
| lookup criticalsystems Hostname as host OUTPUT Hostname as host
| search host=*
| eval last60=relative
time(now(),"-60m@m")
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged

The name of my notable event:
Stop sending logs from $host$

And results in "Incident Review":
http://prntscr.com/haawz1 i wanna this name that I marked by red color in main name of my notable event

And in ur opinion which fields will be good to add to this notable event?

0 Karma

Legend

Hi test_qweqwe,
to change font color you have to customize CSS.
In Splunk 7.x Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) , you can find some examples to highlight or color a cell event.

Bye.
Giuseppe

0 Karma

Builder

I'm not correct said, i need another.

Okay, we have in notable event "Additional Fields" -> "Host" which have name - server_host1.local and I wanna this name in Title of notable event

I need "Stop sending logs from server_host1.local", not "Stop sending logs from ip-10.0.0.16"

0 Karma

Legend

Let me understand: when you speak of Notable Events are you speaking of Enterprise Security or Splunk Enterprise?
If Enterprise Security, sorry but I cannot help you.
If Splunk Enterprise, the question is: where is host field with the real hostname?
I see in your search three host fields: host, host1 and Host_name, identify which is the field with the real hostname and use it.

Bye.
Giuseppe

0 Karma

Builder

It's Enterprise Security 😞

0 Karma

Legend

Sorry!
I had this doubt but it isn't in question tags.
Have a good luck!.
Bye.
Giuseppe

0 Karma