Hello,
I have followed https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Customizenotables and created Additional Fields under "Incident Review Settings" page and saved my changes. Now i am seeing that when a notable is created in Incident Review dashboard, none of my new additional fields are showing up there. I have verified when i run the search manually, those fields are there and there is no typo in their name.
2 Qns
1) Is there a default limit as in how many additional fields show at the max for a Notable ? The way i see not all fields are showing up.
2) Is there a way to customize which addn. fields to show for which Notable event /Co-relaion search ?
When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?
If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.
If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.
Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.
Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately
If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.
http://splunkhost:8000/en-US/debug/refresh
Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.
When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?
If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.
If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.
Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.
Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately
If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.
http://splunkhost:8000/en-US/debug/refresh
Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.