Manual Notable Event

ansusabu · ‎09-04-2019

I was trying to create a manual notable event using "sendalert notable". But the name of the notable is coming as "Manual Notable Event- Rule". How can I name the notable to exactly what I want?
Please note that I want to create the notable through senalert only.

inventsekar · ‎09-18-2020

alert_action_name
Syntax: <alert_action_name>Description: The name of the alert action configured in the alert_actions.conf file

May we know the alert_action_name you configured in your alert_actions.conf file please.

(if this post helped you in anyway, pls upvote. if this post resolved your query, pls "accept this as the solution", so that this question will be moved from unanswered to answered, thanks. )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

prashanthberam · ‎07-10-2020

did you get any solution for this. Am facing same problem. Please reply me if you found any solution.

akheraj_splunk · ‎06-01-2020

use the param.search_name="YOUR CUSTOM NAME". you can update the other fields in similar fashion: param.notable_field="YOUR VALUE"

sendalert documentation

bowesmana · ‎06-03-2020

That doesn't work - none of the param fields are added to the notable event - certain fields in the event, e.g. search_name are renamed to orig_search_name if you try to add it that way

Manual Notable Event

notable event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?