Splunk Enterprise Security

Splunk Enterprise Security (ES) - How to do a field lookup for Notable Events?

JohannLiebert92
Path Finder

Hi everyone,

I am creating a workflow action that allows me to links to a website (e.g. google.com) from Incident Review dashboard. The problem is, in order to use the workflow action, I need to pass a field that is available from a lookup file (based on event_id). May I know how to do lookup for the notable events?

Thanks

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

If you intend to use the workflow action from Incident Review or similar pages, that lookup would need to be called from within the notable macro... that macro makes sure the event_id is computed, and therefore your lookup can only be added afterwards.

Then you can use the lookup's output fields in your workflow action as usual.

Caution: Make sure any changes to the default macro made in any upgrade of ES versions also gets replicated in your local copy.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

If you intend to use the workflow action from Incident Review or similar pages, that lookup would need to be called from within the notable macro... that macro makes sure the event_id is computed, and therefore your lookup can only be added afterwards.

Then you can use the lookup's output fields in your workflow action as usual.

Caution: Make sure any changes to the default macro made in any upgrade of ES versions also gets replicated in your local copy.

JohannLiebert92
Path Finder

Ah I see..thanks for the detailed explanations!

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...