I have a correlation search in which I use a simple eval command to create a new field (ex. eval test=123). This fields shows in the search, however, when I set this search as an alert, the eval field I created is missing on the notable event. How do I ensure that this custom field is being sent along with the other data that is sent by default as a notable event?
Thanks for the link, I've followed all of these steps and am still not getting the results I need. When I look at the notable event index and at the event in question, the eval field I created within the correlation search is not present.
So you're creating the field in the search but it's not showing in the results? I'd test this out further separate from a correlation search, and run the search directly in Splunk and see if there is something incorrect in the search syntax.
When I run the search manually and look at the results I can see the field I created. I have this search set as an alert, once triggered it sends the event to the notable event index. When I go and look at the notable event index and specifically at this event my eval field I created does not come over with the other data. Everything else comes over as expected, its just this eval field I created in the search is no longer present.
That's odd. Can you share the search syntax (even if it's a bit obscured)?
Also, does the same thing happen if you search the notable index using the
notable macro rather than searching the index directly?
I looked at the index and macro and had the same problem. I can't post the search, but I can show an example of the eval statement I am writing, If something seems off please let me know.
eval firstdate=ceil(time), seconddate=ceil(time)*1000
The key thing is that you need to add your custom field (e.g test) to Incident Review - Event Attributes. [ under Config->Incident Review Settings ].
you can follow the steps in the link from p_gurav above
I've checked this setting was in place as well, but I am still not getting the data. Under the notable index, then the event in questions, the eval field I created is not present even though it shows on the correlation search.