- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My fields are not showing in additional field under incident review in Splunk. I want to take results obtained from the query into additional fields, incident review additional field.
I have created a query using data model.
I have also renamed src_ip & dest_ip to custom name.
I am putting those custom fields into the field value provided to compress (throttling)
i am also putting the same value in asset extraction filed under notable.
but when i get the alert and open the notable from the pane, I do not see those values inside additional fields.
Could someone please help ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If I am understanding your question correctly, fields src_ip and dest_ip which you renamed with for example ABC and XYZ name is not displaying when you go to Incident Revivew and click on notable events under Additional Fields.
To achieve this, you need to add those renamed fields for example ABC and XYZ into ES IR configuration. Go to Enterprise Security -> Configure -> Incident Management -> Incident Review Settings, under Incident Review - Event Attributes add those new fields and after that it will display in Incident Review page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If I am understanding your question correctly, fields src_ip and dest_ip which you renamed with for example ABC and XYZ name is not displaying when you go to Incident Revivew and click on notable events under Additional Fields.
To achieve this, you need to add those renamed fields for example ABC and XYZ into ES IR configuration. Go to Enterprise Security -> Configure -> Incident Management -> Incident Review Settings, under Incident Review - Event Attributes add those new fields and after that it will display in Incident Review page.
