Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create notable events with search?

alexspunkshell
Contributor
‎04-14-2022 01:07 AM

I have Power-user access only.

I have a Splunk query and I enabled an alert as a Notable Event. And I also received the notable events in ES --> Incident Review.

But I am not getting the Search query's result in my notable events. I am only getting the Alert name.

Search results of the query are not received in the notable events.

I want to get all the query's search results in the notable events. Please help.

 

Received Notable Event with no information

alexspunkshell_0-1649923450953.png

 

Actual Query's Search Result

alexspunkshell_1-1649923483324.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stefanie
Builder
‎04-14-2022 06:15 AM

If you go to Edit Correlation Search in ES,  and then click "Notable" at the bottom, you can add your description that you would like to have. It supports variables. 

 

What fields are you wanting to show up in the Additional Fields section? Those fields can be added in the Incident Review Settings under Configure in the ES navigation row.

Under " Incident Review - Event Attributes" is there you would map those fields you want to show up.

 

You also have the option to rename some of the fields in your original query to map to some of those labels.

 

I hope this helps!

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

Stefanie
Builder
‎04-14-2022 06:15 AM

If you go to Edit Correlation Search in ES,  and then click "Notable" at the bottom, you can add your description that you would like to have. It supports variables. 

 

What fields are you wanting to show up in the Additional Fields section? Those fields can be added in the Incident Review Settings under Configure in the ES navigation row.

Under " Incident Review - Event Attributes" is there you would map those fields you want to show up.

 

You also have the option to rename some of the fields in your original query to map to some of those labels.

 

I hope this helps!

 

 

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...