Splunk Enterprise Security

How to use variable names in notable events?

mdicenzo
Explorer

I am trying to include dynamic names for a notable event that I have triggering. When I try to use $variable$ it just shows that and does not pull the field value.

My search:

index = o365 sourcetype="mscs:azure:eventhub" body.operationName="User Risk Detection" "body.properties.riskLevel"=high
| rename body.properties.userDisplayName AS "Display Name"

 

My Name:

Office 365 Risky User Detected - $Display Name$

Can anyone help?

 

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...