Splunk Enterprise Security

Edit title of notable event

Builder

I will try again, but with correct tags of my question.
Today I tried many times fix it and zero results.

https://prnt.sc/haawz1 - I need "Stop sending logs from server.host1.local", not "Stop sending logs from ip-10.0.0.16"

When I created correlation search, I put this in title of notable event:
Stop sending logs from $host$

Also, my search:
I have this search:
| metadata type=hosts
| lookup critical_systems Host_name as host OUTPUT Host_name as host
| search host=*
| eval last60=relative_time(now(),"-60m@m")
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged

ip-10.0.0.16 this - IP he takes from default field "host" that not in my lookup critical_systems.

0 Karma
1 Solution

Builder

Long story short is that summary events (including notable events) will have a "host" value of the Splunk server that created the events (typically the search head). As such, any correlation searches that persist a "host" field will be re-mapped to "orig_host" in the resulting summary (notable) event.

The correct title in this case would be:

Stop sending logs from $orig_host$

View solution in original post

Builder

Long story short is that summary events (including notable events) will have a "host" value of the Splunk server that created the events (typically the search head). As such, any correlation searches that persist a "host" field will be re-mapped to "orig_host" in the resulting summary (notable) event.

The correct title in this case would be:

Stop sending logs from $orig_host$

View solution in original post

Builder

Thanks! Also, where I can get information about it? I parsed documentation, but not found this information.

0 Karma

Builder

I see a number of orig fields referenced here, but not the general concept of how orig mapping works, and certainly not all orig fields. I will mention this to docs.

http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

0 Karma

Splunk Employee
Splunk Employee

I don't quite understand your last sentence, however. Where is the IP address coming from? That's coming from the host field of the event enriched by Splunk? As a workaround you could leave Host_name as is and perform your operations on it using that name.

I'm not the best to comment on search construction, however, but it seems like there are other ways it could be improved (such as why is the table and sort relevant?). Is the LastTimeLogged stored in the lookup? It might be better to construct this computation as a lookup and then have the correlation search perform the time comparison? Again, that's mostly a guess.

Builder

That's coming from the host field of the event enriched by Splunk?
Yes.

I will try tomorrow what u said.

0 Karma