Splunk Enterprise Security

Search Field in Alert Trigger Notable Name

ph_del_us3r
Explorer

Hello Everyone,

I'm assuming this has come up before, but for the life of me I cannot find the answer.

I am trying to get the value of a field in the triggered alert name. I am using the search below to find out if any sourcetypes haven't reported between 24 and 48 hours.

| metadata type=sourcetypes 
| eval age = now() - lastTime 
| eval days = age / 86400 
| where age >= 86400 and age < (86400*2)

The above search returns a table and one of the columns is sourcetype. I'd like to take the value of that cell (Source A) and lace it into the alert name when it fires. Example: Source Type (Source A) has not reported in over 24 hours.

I have tried $result.sourcetype$, but this only works in emails. I would like this to show up in the notable as well.

If I'm not at all clear or looking at this issue correctly, please let me know.

Labels (2)
0 Karma
1 Solution

ph_del_us3r
Explorer

Solved the issue. For Notable triggers, you can just put $fieldname$ in the title and it will trigger with it. I had to assign the sourcetype field to another variable with eval, but I think this had to be done due to mapping in a configuration file.

$fieldname$ in notable trigger
$result.fieldname$ in email trigger

View solution in original post

0 Karma

ph_del_us3r
Explorer

Solved the issue. For Notable triggers, you can just put $fieldname$ in the title and it will trigger with it. I had to assign the sourcetype field to another variable with eval, but I think this had to be done due to mapping in a configuration file.

$fieldname$ in notable trigger
$result.fieldname$ in email trigger

0 Karma

Vijeta
Influencer

Try using in alert name $result.sourcetype$

0 Karma

ph_del_us3r
Explorer

Sorry, I should have mentioned I tried that in the Alert Title.

I may be confusing the Title with the Name, but when I tried that in the rule it fired with the literal string "$result.sourcetype$" in the name.

0 Karma

Vijeta
Influencer

Not sure about the query, if the field name is correct it should get the value in $result.sourcetype$ when you add this in the alert action title . Where are you passing this variable?

0 Karma

ph_del_us3r
Explorer

I did some testing and realized that $result.sourcetype$ does work within the email trigger, but not for notable. The notable triggered with the literal string $result.sourcetype$, is there a way to make the notable trigger with a different name?

0 Karma

ph_del_us3r
Explorer

I'm not passing the variable anywhere. I thought that the alert would fire and take the cell value of "sourcetype". I updated my search by adding "| eval source_type = sourcetype" and this copies the value of "sourcetype" to "source_type". I then tried $result.source_type$ in the alert name, but still no luck.

Am I working under the incorrect assumption that this would be passing the variable?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...