Re: Edit title of notable event x2

test_qweqwe · ‎11-22-2017

sourcetype=WinEventLog:Security (EventCode=4720) | eval date=strftime(_time, "%Y/%m/%d") |rex "New\sAccount:\s+.*\s+\w+\s\w+:\s+(?<NewAccount>.*)" | rex "Account\sName:\s+(?<SourceAccount>.*)"| stats count by date, NewAccount, SourceAccount, Keywords, host | sort - Date | rename NewAccount as user | rename SourceAccount as src_user

Why $src_user$ and $user$ not show data? What should I do to fix it -> http://prntscr.com/hdt8mm ?

Description: $src_user$ created account $user$ on system $orig_host$
shows as:
Description: Unknown created account unknown on system WIN2012LAB.

micahkemp · ‎11-26-2017

My previous answer did not address the actual issue you're seeing. What you're running into is that your original data has the fields referenced by your description, but your correlation search results did not. Your notable event description needs to only reference fields returned by your correlation search. This may be as simple as adding a BY clause to your tstats search command, assuming your correlation search uses tstats.

For further guidance you might want to post your correlation search and your notable event's drilldown search.

test_qweqwe · ‎11-28-2017

I'm not correctly understand how change my search with BY and tstats.
Can you help?

micahkemp · ‎11-24-2017

Variable substitution for the notable title only occurs (by default) on the builtin ES views. If you want to have the event itself show the substituted values you would have to add that functionality elsewhere. One potential solution is detailed here:

https://answers.splunk.com/answers/544388/how-to-get-or-generate-splunk-es-notable-event-tit.html

There are other solutions as well, but I can't find references to them right now.

test_qweqwe · ‎11-25-2017

As I understand, I need to change code as in your link.
And where I can change it?

hardikJsheth · ‎11-22-2017

Can you be more specific in what problem are you facing?

niketn · ‎11-22-2017

@test_qweqwe, can you add the code where you are setting the tokens

$src_user$ created account $user$ on system $orig_host$

Also when you display the table with these three fields are they showing correct value? If they are coming from above table can you add some sample data from the output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

test_qweqwe · ‎11-22-2017

They show correct value.
http://prntscr.com/hdtl3i

can you add the code where you are
setting the tokens
What it's mean?

niketn · ‎11-23-2017

You have mentioned in your question that $user$ $orig_host$ and $src_user$ are not getting data. In your existing dashboard you should be setting these tokens somewhere (which in not present in the search query you have shared. So share more details from your code so that we can assist further.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Edit title of notable event x2

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Edit title of notable event x2

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever