Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to automatically assign a recent random notable to a specific user

NightShark
Path Finder
‎01-25-2022 06:38 AM

Hello,

I would like to assign random new "unassigned" notables to a specific user.

I wanted to accomplish this via a saved search but unfortunately it did not work, and the userI am trying to assign to does actually exist in the enviroment when looking up the es_notable_events lookup which also has previous actions made on notables.

| inputlookup es_notable_events
| search owner="unassigned"
| head 10
| eval owner="usertoassign"
| outputlookup es_notable_events append=true key_field=owner

Is there another way to do this? What am I doing wrong?

Thanks,
Regards,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2022 04:56 AM

It is updated in this version of the docs.  I don't know why other versions are not updated.

https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Createnotablesmanually#Use_the_owner_field_in_a...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-25-2022 07:46 AM

The key_field value should be be _key rather than owner.  As it stands now, the query is attempting to change the lookup row with key "usertoassign", which doesn't exist and so the changes aren't made.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

NightShark
Path Finder
‎01-25-2022 07:57 AM

Thank you for the response,

However I do not quite understand how to rewrite my query based on your feedback.

I have used the following resource from the Splunk docs to accomplish what I am trying to do:

https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Createnotablesmanually

Regards,

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2022 11:10 AM

I had doubts about that part of the document so I submitted feedback on it.  The Docs team have since updated that SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2022 04:56 AM

It is updated in this version of the docs.  I don't know why other versions are not updated.

https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Createnotablesmanually#Use_the_owner_field_in_a...

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

NightShark
Path Finder
‎02-01-2022 05:23 AM

Even though the referenced material is correct and works as intended by updating the csv for the specific line, however when loading incident review the notable events are still not mapped to a certain user unfortunately 😕 I assume they are overwritten by other rules or searches. Thank you either way.

0 Karma
Reply
Solved! Jump to solution

NightShark
Path Finder
‎02-01-2022 05:06 AM

Well that is weird, Okay I got it. Thank you very much!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

NightShark
Path Finder
‎01-31-2022 10:01 PM

I haven't really seen any update or any change on the specific SPL we were mentioning earlier, or am I looking at the wrong query?

SPL from doc as of 01.02.22:

| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner

 

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...