Splunk Enterprise Security

Splunk Enterprise Security: Why is a field in notable event search results not showing up in the event?

Path Finder

Hello Splunkers.

I have been creating new notable events in Enterprise Security, and for some events, defining my own field names as per this post: https://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm...

Up until now, everything has been going along just fine, but for whatever reason, I cannot get certain fields to show up in the event. For example:

values(duser) as "user" in my search returns a value in the stats table of "user" as "user@mycompany.com", but this does not show up in the notable event using the same search, and calling the variable $user$ in the notification description returns "Unknown".

I have checked in my customized copy of logreview.conf, and the field "user" is correctly defined. Other CIM and custom defined fields work for the same event, and even adding another field/label pair in logreview.conf doesn't seem to work for this particular field. get_event_id and map_notable_fields macros are both used in the search.

A restart of Splunk isn't solving the issue.

Your thoughts will be much appreciated!

Gary.

0 Karma
1 Solution

Path Finder

Mapping the value to a unique name, so:

{"field": "duser", "label": "Source Email User"},\

Has seemingly fixed the issue.

View solution in original post

Path Finder

Mapping the value to a unique name, so:

{"field": "duser", "label": "Source Email User"},\

Has seemingly fixed the issue.

View solution in original post

Path Finder

Below is a snip from log_review.conf:

                {"field": "UsedMBytes",                  "label": "Used Megabytes"},\
                {"field": "user",                        "label": "User"},\
                {"field": "User",                        "label": "User"},\
                {"field": "user_group",                  "label": "User Group"},\
                {"field": "user_group_id",               "label": "User Group Identifier"},\

-rw------- 1 splunk splunk 23067 Jan 20 12:32 ./splunk/etc/apps/SA-ThreatIntelligence/local/log_review.conf

As I mentioned, other standard and custom-defined fields are working perfectly, for example "Dest Port", which appears in the same events that "user" does not:

{"field": "dpt", "label": "Dest Port"}\
]

EOF (the trailing backslash is present on the above snip, it's just been stripped by the forum)

Any thoughts on where to look, why to try would be welcomed!

Gary.

0 Karma