Solved: Search Field in Alert Trigger Notable Name

ph_del_us3r · ‎05-05-2020

Hello Everyone,

I'm assuming this has come up before, but for the life of me I cannot find the answer.

I am trying to get the value of a field in the triggered alert name. I am using the search below to find out if any sourcetypes haven't reported between 24 and 48 hours.

| metadata type=sourcetypes 
| eval age = now() - lastTime 
| eval days = age / 86400 
| where age >= 86400 and age < (86400*2)

The above search returns a table and one of the columns is sourcetype. I'd like to take the value of that cell (Source A) and lace it into the alert name when it fires. Example: Source Type (Source A) has not reported in over 24 hours.

I have tried $result.sourcetype$ , but this only works in emails. I would like this to show up in the notable as well.

If I'm not at all clear or looking at this issue correctly, please let me know.

ph_del_us3r · ‎05-06-2020

Solved the issue. For Notable triggers, you can just put $fieldname$ in the title and it will trigger with it. I had to assign the sourcetype field to another variable with eval, but I think this had to be done due to mapping in a configuration file.

$fieldname$ in notable trigger
$result.fieldname$ in email trigger

View solution in original post

ph_del_us3r · ‎05-06-2020

Solved the issue. For Notable triggers, you can just put $fieldname$ in the title and it will trigger with it. I had to assign the sourcetype field to another variable with eval, but I think this had to be done due to mapping in a configuration file.

$fieldname$ in notable trigger
$result.fieldname$ in email trigger

Vijeta · ‎05-05-2020

Try using in alert name $result.sourcetype$

ph_del_us3r · ‎05-05-2020

Sorry, I should have mentioned I tried that in the Alert Title.

I may be confusing the Title with the Name, but when I tried that in the rule it fired with the literal string "$result.sourcetype$" in the name.

Vijeta · ‎05-05-2020

Not sure about the query, if the field name is correct it should get the value in $result.sourcetype$ when you add this in the alert action title . Where are you passing this variable?

ph_del_us3r · ‎05-06-2020

I did some testing and realized that $result.sourcetype$ does work within the email trigger, but not for notable. The notable triggered with the literal string $result.sourcetype$, is there a way to make the notable trigger with a different name?

ph_del_us3r · ‎05-05-2020

I'm not passing the variable anywhere. I thought that the alert would fire and take the cell value of "sourcetype". I updated my search by adding "| eval source_type = sourcetype" and this copies the value of "sourcetype" to "source_type". I then tried $result.source_type$ in the alert name, but still no luck.

Am I working under the incorrect assumption that this would be passing the variable?

Search Field in Alert Trigger Notable Name

notable event

troubleshooting

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation