Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security : Variable substitution does not work for all fields?

gargantua
Path Finder
‎04-28-2023 02:30 AM

Hi all,

 

I created a correlation search in SPlunk ES and added a Notable Event in the Adaptative Response Actions.

I'd like to include in the notable some information from the correlation search results, such as : orig_host, ip, and some other custom fields.

  • I went to Incident Review Settings in order to add my custome fields in the Event Attributes
  • I customized my correlation search query in order to name the returned fieds that are named according to the Event Attributes that already exist + the custom ones that I just created
  • In the correlation search, into the "Notable" sub-menu, I added the fields I'd like to enrich my Notable with to Identity Extraction and Asset Extraction


I then added a fiew variables in the title of the created Notable. Something like "the user $custom_field_1$ just connected to the account of the user $custom_field_2$, from the computer $orig_host$ that belongs to $orig_host_owner$.

custom_field_1 and $custom_field_2 variables work and return the right values.

orig_host, orig_host_owner don't and return the strings $orig_host$ and $orig_host_owner$.

I'm a bit confused.

Does anybody have had this before ?

 

Thanks for your kind help !

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...