Splunk Enterprise Security

How to create notable manually with selected timestamp?

bluewizard
Explorer

 

 

 

| stats count 
| eval _time="1685158808"
| eval rule_title="Test notable" 
| eval security_domain="Network"
| eval urgency="Medium"
| eval rule_name="Test rule"
| eval dest="8.8.8.8"
| eval src="1.1.1" 
| eval desc="Please investigate firewall log, and action"
| sendalert notable param.mapfields=_time,desc,rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions

 

 

 

 


Is it possible to use a timestamp to change the notable creation date time? it is creating notable everytime i hit search with the above query.`

Additionally how do i move my description from below to the above description?

 

bluewizard_0-1685419359576.png

 

 

Labels (1)
0 Karma

johnlee2327
Explorer

You can use "rule_description" as the field for the above description.

0 Karma

meetmshah
Builder

AFAIK, The notable time is the time when the event gets triggered and indexed (and not _time from the events). However, I have heard that there is a feature in the upcoming version of ES where we can select notable time.

0 Karma

bluewizard
Explorer

is this technically possible, or everytime i run sendalert notable it will create a notable with time now?

 

 

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...