Splunk Enterprise Security

How do I add macros into my search?

wrosadj
New Member

Would any one know how to look up the name of a person who owns a notable event using the owner field? This is my search so far:

index=notable uc42a 
| table _time, c_time, dest_subnet_name, dest_mac, dest_ip, dest_hostname, 
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time 
| dedup dest_mac  

I want to add the assigned owner of the notable UC's. I tried to add notable_owner into the table, but that didn't work. I know that the owner field is meta data, so how I can add that to my search?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Replace index=notable with notable in your search and notable_owner should work.

0 Karma

mydog8it
Builder

The answer to the question in the title is just pipe it to the name of the macro with "tics" around the macro name (|notable_owners).

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...