Splunk Enterprise Security
Highlighted

In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Explorer

I have a correlation search in which I use a simple eval command to create a new field (ex. eval test=123). This fields shows in the search, however, when I set this search as an alert, the eval field I created is missing on the notable event. How do I ensure that this custom field is being sent along with the other data that is sent by default as a notable event?

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Champion
0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Explorer

Thanks for the link, I've followed all of these steps and am still not getting the results I need. When I look at the notable event index and at the event in question, the eval field I created within the correlation search is not present.

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Splunk Employee
Splunk Employee

So you're creating the field in the search but it's not showing in the results? I'd test this out further separate from a correlation search, and run the search directly in Splunk and see if there is something incorrect in the search syntax.

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Explorer

When I run the search manually and look at the results I can see the field I created. I have this search set as an alert, once triggered it sends the event to the notable event index. When I go and look at the notable event index and specifically at this event my eval field I created does not come over with the other data. Everything else comes over as expected, its just this eval field I created in the search is no longer present.

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Splunk Employee
Splunk Employee

That's odd. Can you share the search syntax (even if it's a bit obscured)?

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Splunk Employee
Splunk Employee

Also, does the same thing happen if you search the notable index using the notable macro rather than searching the index directly?

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Explorer

I looked at the index and macro and had the same problem. I can't post the search, but I can show an example of the eval statement I am writing, If something seems off please let me know.

eval firstdate=ceil(time), seconddate=ceil(time)*1000

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

SplunkTrust
SplunkTrust

The key thing is that you need to add your custom field (e.g test) to Incident Review - Event Attributes. [ under Config->Incident Review Settings ].

you can follow the steps in the link from p_gurav above

0 Karma
Highlighted

Re: In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

Explorer

I've checked this setting was in place as well, but I am still not getting the data. Under the notable index, then the event in questions, the eval field I created is not present even though it shows on the correlation search.

0 Karma