Splunk Enterprise Security

How to create notable manually with selected timestamp?





| stats count 
| eval _time="1685158808"
| eval rule_title="Test notable" 
| eval security_domain="Network"
| eval urgency="Medium"
| eval rule_name="Test rule"
| eval dest=""
| eval src="1.1.1" 
| eval desc="Please investigate firewall log, and action"
| sendalert notable param.mapfields=_time,desc,rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions





Is it possible to use a timestamp to change the notable creation date time? it is creating notable everytime i hit search with the above query.`

Additionally how do i move my description from below to the above description?





Labels (1)
0 Karma


AFAIK, The notable time is the time when the event gets triggered and indexed (and not _time from the events). However, I have heard that there is a feature in the upcoming version of ES where we can select notable time.

0 Karma


is this technically possible, or everytime i run sendalert notable it will create a notable with time now?



0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...