Is it possible to generate a "ticket number" style...

gmrtn14 · ‎10-10-2016

I'd like each notable event that is raised in ES to have a unique "ticket number" style reference, automatically incrementing as events are raised - along the same kind of lines as ticket reference numbers that are created in systems like ServiceNow when a ticket is raised.

I appreciate that the event_id field is a unique reference for each notable but it's not user friendly enough to be used as a point of reference between multiple analysts

Is there a way to achieve what I am looking for?

hazekamp · ‎10-24-2016

For now, I would check out the "Share Notable Event" action in the Actions dropdown per notable event. This produces direct hyperlinks to the notable event with a copy-clipboard option. While not a "ticket number", this link can be distributed in digital-friendly ways:

https://server:8000/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=rule...

tezkpk · ‎10-19-2016

You could build a lookup process, which would link the event_id to a more user-friendly ticket number. I am sure that it could be automated with a python script, or some other form of scripting.

Is it possible to generate a "ticket number" style reference for a notable event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!