How to create notable manually with selected times...

bluewizard · ‎05-29-2023

| stats count 
| eval _time="1685158808"
| eval rule_title="Test notable" 
| eval security_domain="Network"
| eval urgency="Medium"
| eval rule_name="Test rule"
| eval dest="8.8.8.8"
| eval src="1.1.1" 
| eval desc="Please investigate firewall log, and action"
| sendalert notable param.mapfields=_time,desc,rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions

Is it possible to use a timestamp to change the notable creation date time? it is creating notable everytime i hit search with the above query.`

Additionally how do i move my description from below to the above description?

johnlee2327 · ‎10-22-2024

You can use "rule_description" as the field for the above description.

meetmshah · ‎07-17-2023

AFAIK, The notable time is the time when the event gets triggered and indexed (and not _time from the events). However, I have heard that there is a feature in the upcoming version of ES where we can select notable time.

bluewizard · ‎05-29-2023

is this technically possible, or everytime i run sendalert notable it will create a notable with time now?

How to create notable manually with selected timestamp?

notable event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?