Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to generate a "ticket number" style reference for a notable event?

gmrtn14
New Member
‎10-10-2016 06:47 AM

I'd like each notable event that is raised in ES to have a unique "ticket number" style reference, automatically incrementing as events are raised - along the same kind of lines as ticket reference numbers that are created in systems like ServiceNow when a ticket is raised.

I appreciate that the event_id field is a unique reference for each notable but it's not user friendly enough to be used as a point of reference between multiple analysts

Is there a way to achieve what I am looking for?

0 Karma
Reply

hazekamp
Builder
‎10-24-2016 09:43 AM

For now, I would check out the "Share Notable Event" action in the Actions dropdown per notable event. This produces direct hyperlinks to the notable event with a copy-clipboard option. While not a "ticket number", this link can be distributed in digital-friendly ways:

https://server:8000/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=rule...

alt text

Reply

tezkpk
Engager
‎10-19-2016 07:28 PM

You could build a lookup process, which would link the event_id to a more user-friendly ticket number. I am sure that it could be automated with a python script, or some other form of scripting.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
li.common.scroll-to.top