Splunk Enterprise Security

Splunk Enterprise Security: What happens to host_* fields in notable events?

gabriel_vasseur
Contributor

I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_host, host_ip, etc from using the get_asset macro.

I know that the host field in the correlation search results is replaced with the orig_host field in the stored notable event, but why are the other host_* fields not included in the notable index, even as orig_host_* fields? How can I get them?

I can see that etc/apps/SA-ThreatIntelligence/default/log_review.conf mentions fields like orig_host_nt_host in the list of incident review attribute. Yet still no trace of that field in the notable index.

The best workaround I can think of so far is to rename host to dest early in the correlation search, because I know this will work. However, it is not a satisfying solution since in the context of my correlation search the host is not a source or a destination, it's just a host...

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

alemarzu
Motivator

Hi @gabriel_vasseur
Are those assets present in the "asset and identity" lookup table that you are suppouse to manually fill?

0 Karma

gabriel_vasseur
Contributor

Yes, the fields are populated when I run the search in the search bar, but they are not included in the notable event.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Try searching the index using the notable macro, rather than searching the index directly. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more details.

gabriel_vasseur
Contributor

I downvoted this post because sorry, this doesn't help

0 Karma

gabriel_vasseur
Contributor

Thanks for the link, unfortunately it doesn't help. Whether I search the notable index directly, with the macro, or use the Incident Review web UI, the fields I want are not there.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...