Hello,
I would like to assign random new "unassigned" notables to a specific user.
I wanted to accomplish this via a saved search but unfortunately it did not work, and the userI am trying to assign to does actually exist in the enviroment when looking up the es_notable_events lookup which also has previous actions made on notables.
| inputlookup es_notable_events
| search owner="unassigned"
| head 10
| eval owner="usertoassign"
| outputlookup es_notable_events append=true key_field=owner
Is there another way to do this? What am I doing wrong?
Thanks,
Regards,
It is updated in this version of the docs. I don't know why other versions are not updated.
The key_field value should be be _key rather than owner. As it stands now, the query is attempting to change the lookup row with key "usertoassign", which doesn't exist and so the changes aren't made.
Thank you for the response,
However I do not quite understand how to rewrite my query based on your feedback.
I have used the following resource from the Splunk docs to accomplish what I am trying to do:
https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Createnotablesmanually
Regards,
I had doubts about that part of the document so I submitted feedback on it. The Docs team have since updated that SPL.
It is updated in this version of the docs. I don't know why other versions are not updated.
Even though the referenced material is correct and works as intended by updating the csv for the specific line, however when loading incident review the notable events are still not mapped to a certain user unfortunately 😕 I assume they are overwritten by other rules or searches. Thank you either way.
I haven't really seen any update or any change on the specific SPL we were mentioning earlier, or am I looking at the wrong query?
SPL from doc as of 01.02.22:
| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner
Thanks,