Splunk Enterprise Security

Splunk Enterprise Security: Why is a field in notable event search results not showing up in the event?

gary_richardson
Path Finder

Hello Splunkers.

I have been creating new notable events in Enterprise Security, and for some events, defining my own field names as per this post: https://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm...

Up until now, everything has been going along just fine, but for whatever reason, I cannot get certain fields to show up in the event. For example:

values(duser) as "user" in my search returns a value in the stats table of "user" as "user@mycompany.com", but this does not show up in the notable event using the same search, and calling the variable $user$ in the notification description returns "Unknown".

I have checked in my customized copy of log_review.conf, and the field "user" is correctly defined. Other CIM and custom defined fields work for the same event, and even adding another field/label pair in log_review.conf doesn't seem to work for this particular field. get_event_id and map_notable_fields macros are both used in the search.

A restart of Splunk isn't solving the issue.

Your thoughts will be much appreciated!

Gary.

0 Karma
1 Solution

gary_richardson
Path Finder

Mapping the value to a unique name, so:

{"field": "duser", "label": "Source Email User"},\

Has seemingly fixed the issue.

View solution in original post

gary_richardson
Path Finder

Mapping the value to a unique name, so:

{"field": "duser", "label": "Source Email User"},\

Has seemingly fixed the issue.

gary_richardson
Path Finder

Below is a snip from log_review.conf:

                {"field": "UsedMBytes",                  "label": "Used Megabytes"},\
                {"field": "user",                        "label": "User"},\
                {"field": "User",                        "label": "User"},\
                {"field": "user_group",                  "label": "User Group"},\
                {"field": "user_group_id",               "label": "User Group Identifier"},\

-rw------- 1 splunk splunk 23067 Jan 20 12:32 ./splunk/etc/apps/SA-ThreatIntelligence/local/log_review.conf

As I mentioned, other standard and custom-defined fields are working perfectly, for example "Dest Port", which appears in the same events that "user" does not:

{"field": "dpt", "label": "Dest Port"}\
]

EOF (the trailing backslash is present on the above snip, it's just been stripped by the forum)

Any thoughts on where to look, why to try would be welcomed!

Gary.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...