Splunk Enterprise Security

How do I add macros into my search?

wrosadj
New Member

Would any one know how to look up the name of a person who owns a notable event using the owner field? This is my search so far:

index=notable uc42a 
| table _time, c_time, dest_subnet_name, dest_mac, dest_ip, dest_hostname, 
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time 
| dedup dest_mac  

I want to add the assigned owner of the notable UC's. I tried to add notable_owner into the table, but that didn't work. I know that the owner field is meta data, so how I can add that to my search?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Replace index=notable with notable in your search and notable_owner should work.

0 Karma

mydog8it
Builder

The answer to the question in the title is just pipe it to the name of the macro with "tics" around the macro name (|notable_owners).

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...