Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: How to set up alerts when a notable event with urgency High & Critical arises in the Incident review?

Builder

Hi

How to set up alerts when a notable event with urgency High & Critical arises in the Incident review with event details?

Highlighted

Re: Splunk Enterprise Security: How to set up alerts when a notable event with urgency High & Critical arises in the Incident review?

This is what i used. Hopefully this can help you out.

`notable` | where urgency="high" OR urgency="critical" | table _time source src dest user | eval computer=coalesce(src,dest)

View solution in original post