Splunk Enterprise Security

Not all Additional fields showing up under Notable event

neerajs_81
Builder

Hello,
I have followed https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Customizenotables and created Additional Fields under "Incident Review Settings" page and saved my changes.  Now i am seeing that when a notable is created in Incident Review dashboard,  none of my new additional fields are showing up there.  I have verified when i run the search manually,  those fields are there and there is no typo in their name.

2 Qns

1) Is there a default limit as in  how many additional fields show at the max for a Notable ? The way i see not all fields are showing up.

2) Is there a way to customize which addn. fields to show for which Notable event /Co-relaion search ?

Tags (1)
1 Solution

ro_mc
Path Finder

When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?

If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.

If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.

Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.

Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/notableeventsplunkes/usingnotable...

If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.

http://splunkhost:8000/en-US/debug/refresh

Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.

View solution in original post

ro_mc
Path Finder

When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?

If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.

If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.

Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.

Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/notableeventsplunkes/usingnotable...

If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.

http://splunkhost:8000/en-US/debug/refresh

Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...