I'm currently stumped in trying to figure out why my notable event token is not working. I verified the field that the token uses exist in the correlation search result (example below).
| stats dc("dest") AS host_count
Notable Event Title:
on $host_count$ hosts.
The token for some reason doesn't expand and output the number 13...
Can you guys help in figuring this out? Thank you for your time.
When you see the incident in Incident Review -- Have you ever looked at the 'notable' drill down?
This will drill down to the raw event in the notables index. Check to make sure your field is there.
Sometimes field names get manipulated in the notable so they don't collide with the fields in the notable index.
Thanks for the quick response. This correlation search isn't using a datamodel or tstats and we're just searching against a custom index (old searches previously made by someone else...)
So I verified the drill down search has the same field. I've been ripping my hair out trying different stuff to get it to work but no luck ;__; It's not a big deal but it bugs the heck outta me.
So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search?
If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache?
I cleared my browser cache and history but no luck.
There are two tokens used in the Notable Event title, it's just the hostcount field doesn't work for some reason. Initially I didn't use the hostcount in the drill down search title, but I just tested it just now and that also doesn't work for some reason. I only pass the working token to the actual drill down search and title and that works fine.
The issue just seems to be the host_count field.
hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory.
I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it.
So the correlation search looks like this:
index=test sourcetype="example" | stats dc(dest) AS hostcount, values("dest") AS hostname, values("matchhash") AS hash, values("path") AS filepath by "intel_name"
So it outputs a table like this:
intelname | hostcount | hostname | hash | filepath
All of the fields are in the notable index when I checked. I used the hash field token just fine in the notable event title - not sure what's going on...
Does your resulting table only have a single row in it? Or are there multiple rows?
dc returns a single value, but I think values returns a multi-value field.
I'm just shooting in the dark at this point but maybe:
Change dc(dest) AS host count -> values(dest) AS host count
Swap the field names -> dc(dest) AS hash values("matchhash") as hostcount
Remove the "by "intel_name".
I did notice that you seem to be quoting the other fields, but not dc(dest)?