Hello Splunkers.
I have been creating new notable events in Enterprise Security, and for some events, defining my own field names as per this post: https://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm...
Up until now, everything has been going along just fine, but for whatever reason, I cannot get certain fields to show up in the event. For example:
values(duser) as "user"
in my search returns a value in the stats table of "user" as "user@mycompany.com", but this does not show up in the notable event using the same search, and calling the variable $user$
in the notification description returns "Unknown".
I have checked in my customized copy of log_review.conf, and the field "user" is correctly defined. Other CIM and custom defined fields work for the same event, and even adding another field/label pair in log_review.conf doesn't seem to work for this particular field. get_event_id
and map_notable_fields
macros are both used in the search.
A restart of Splunk isn't solving the issue.
Your thoughts will be much appreciated!
Gary.
Mapping the value to a unique name, so:
{"field": "duser", "label": "Source Email User"},\
Has seemingly fixed the issue.
Mapping the value to a unique name, so:
{"field": "duser", "label": "Source Email User"},\
Has seemingly fixed the issue.
Below is a snip from log_review.conf:
{"field": "UsedMBytes", "label": "Used Megabytes"},\
{"field": "user", "label": "User"},\
{"field": "User", "label": "User"},\
{"field": "user_group", "label": "User Group"},\
{"field": "user_group_id", "label": "User Group Identifier"},\
-rw------- 1 splunk splunk 23067 Jan 20 12:32 ./splunk/etc/apps/SA-ThreatIntelligence/local/log_review.conf
As I mentioned, other standard and custom-defined fields are working perfectly, for example "Dest Port", which appears in the same events that "user" does not:
{"field": "dpt", "label": "Dest Port"}\
]
EOF (the trailing backslash is present on the above snip, it's just been stripped by the forum)
Any thoughts on where to look, why to try would be welcomed!
Gary.