Hi everyone,

I’m seeing a discrepancy with the Risk Modular Alert Action in Splunk ES. When triggering the risk action via sendalert risk, the resulting risk events do not include source_guid and source_event_id. However, when creating a risk event via the UI (e.g., correlation search action configured in the UI, or “Create Risk Event” from a workflow action), those fields are present. I’m trying to determine if this is version/content-related or a bug.

Environment

• Splunk Enterprise: 9.2.4

• Splunk Enterprise Security: 8.2.1

Expected behavior

Risk events should include:

• source_guid (a GUID)

• source_event_id ({GUID}@@{index}@@{GUID_without_dashes})

Actual behavior

• Via sendalert risk: Risk modifier events are created but missing source_guid / source_event_id.

• Via UI (configured risk action / “Create Risk Event”): Risk events include both fields as expected.

Impact

• These missing fields lead to downstream issues: finding-based detections (formerly Risk Incident Rules) don’t behave as expected, and resulting items do not appear in the Analyst Queue, even though the risk event exists.

• UI-created risk events with the same semantics do surface correctly in the Analyst Queue.

Questions for the community

1. On your Splunk/ES version, do sendalert risk and UI-created risk events both populate source_guid / source_event_id, or do you see the same discrepancy?

2. Was there a change in recent ES/Content versions affecting sendalert risk specifically? Any known issue/bug?

3. Do you explicitly populate these fields via macro/enrichment for sendalert, or should the action populate them natively?

4. Has Splunk stated any plans to deprecate or remove creating risk events via SPL (e.g., sendalert risk / collectrisk) in favor of UI-driven actions? If so, what’s the recommended replacement and timeline?

Thanks in advance for your insights!

-- Sky