Solved: Help creating a table that shows specific notable ...

LionWolf · ‎04-20-2022

Hello Community,

I'm working on a search for a dashboard panel and I need some help.

I'm looking to get the owner, search_name, status_label, and the last comment.

The search I have so far is below:

`notable`
| where owner =="User1" OR owner=="User2" OR owner=="User3" OR owner=="User4" OR owner=="User5" OR owner=="User6"
| where status_label=="Ready for Review" OR status_label=="Closed: False Positive" OR status_label=="Pending" OR status_label=="Closed: Valid - Remediated"
| stats earliest(owner) AS Analyst, earliest(search_name) AS "Alert Name", latest(status_label) AS Status, latest(comment) AS Summary

ITWhisperer · ‎04-20-2022

The stats command is giving you a single result for the whole search - perhaps you need to use a BY clause?

View solution in original post

ITWhisperer · ‎04-20-2022

In what way does this not give you what you have asked for?

LionWolf · ‎04-20-2022

Hello ITWhisperer,

I only get one notable event, even for 30 days. I need all of the notable events that have been worked on, and that currently have the status_label of "Ready for Review", "Closed: False Positive", "Pending", "Closed: Valid - Remediated"

I thought this search should have returned the results I needed but it isn't.

ITWhisperer · ‎04-20-2022

The stats command is giving you a single result for the whole search - perhaps you need to use a BY clause?

LionWolf · ‎04-20-2022

The by clause worked! Thank you so much!

Help creating a table that shows specific notable information

using Enterprise Security

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?