Hi all,

I created a correlation search in SPlunk ES and added a Notable Event in the Adaptative Response Actions.

I'd like to include in the notable some information from the correlation search results, such as : orig_host, ip, and some other custom fields.

• I went to Incident Review Settings in order to add my custome fields in the Event Attributes
• I customized my correlation search query in order to name the returned fieds that are named according to the Event Attributes that already exist + the custom ones that I just created
• In the correlation search, into the "Notable" sub-menu, I added the fields I'd like to enrich my Notable with to Identity Extraction and Asset Extraction

I then added a fiew variables in the title of the created Notable. Something like "the user $custom_field_1$ just connected to the account of the user $custom_field_2$, from the computer $orig_host$ that belongs to $orig_host_owner$.

custom_field_1 and $custom_field_2 variables work and return the right values.

orig_host, orig_host_owner don't and return the strings $orig_host$ and $orig_host_owner$.

I'm a bit confused.

Does anybody have had this before ?

Thanks for your kind help !