Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- I would like to create a Workflow action (using a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When constructing the post data from a Notable Event in Enterprise Security Incident Review dashboard as an event action, the $rule_title$ field is sent through with unexpanded tokens such as "$signature$ - IDS watchlist event for $src$" instead of the actual title. If instead I perform the same Workflow action from the results of a search for the notable event in the format "notable_by_id(xxx) |expandtoken" then the value is passed through as desired. So I can achieve what I want I suppose with two Workflow actions: first a search, then a POST link, but that seems silly. Is there any way to get the POST link action to expand the tokens from the dashboard without having to open the notable in a new search and pipe it to the expandtoken command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well since no one has an answer I guess I will share my own solution. Seems after much experimentation the best solution I can offer is to end the correlation search with an eval statement and add the rule_title to a new field and expand it myself. This means I now have to have the text in two places and need to keep it in sync and I now need to go through and edit a whole bunch of correlation searches. This seems an obvious short coming in the tool, perhaps someone should fix it. Based on the example above I would add
|eval ticket_title=signature." - IDS watchlist event for ".src
to the end of the search. Then in my workflow action I could add $ticket_title$ instead of $rule_title$ to the post command and I would get the expanded fields. This is stupid but it works and does not require an extra search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well since no one has an answer I guess I will share my own solution. Seems after much experimentation the best solution I can offer is to end the correlation search with an eval statement and add the rule_title to a new field and expand it myself. This means I now have to have the text in two places and need to keep it in sync and I now need to go through and edit a whole bunch of correlation searches. This seems an obvious short coming in the tool, perhaps someone should fix it. Based on the example above I would add
|eval ticket_title=signature." - IDS watchlist event for ".src
to the end of the search. Then in my workflow action I could add $ticket_title$ instead of $rule_title$ to the post command and I would get the expanded fields. This is stupid but it works and does not require an extra search.
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
