Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I add macros into my search?

wrosadj
New Member
‎02-07-2019 05:10 AM

Would any one know how to look up the name of a person who owns a notable event using the owner field? This is my search so far: 

index=notable uc42a 
| table _time, c_time, dest_subnet_name, dest_mac, dest_ip, dest_hostname, 
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time 
| dedup dest_mac

I want to add the assigned owner of the notable UC's. I tried to add notable_owner into the table, but that didn't work. I know that the owner field is meta data, so how I can add that to my search?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎02-07-2019 09:28 AM

Replace index=notable with notable in your search and notable_owner should work.

0 Karma
Reply

mydog8it
Builder
‎02-07-2019 07:01 AM

The answer to the question in the title is just pipe it to the name of the macro with "tics" around the macro name (|notable_owners).

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...