Splunk Enterprise Security

Splunk Enterprise Security: Why is a field in notable event search results not showing up in the event?

Path Finder

Hello Splunkers.

I have been creating new notable events in Enterprise Security, and for some events, defining my own field names as per this post: https://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm...

Up until now, everything has been going along just fine, but for whatever reason, I cannot get certain fields to show up in the event. For example:

values(duser) as "user" in my search returns a value in the stats table of "user" as "user@mycompany.com", but this does not show up in the notable event using the same search, and calling the variable $user$ in the notification description returns "Unknown".

I have checked in my customized copy of log_review.conf, and the field "user" is correctly defined. Other CIM and custom defined fields work for the same event, and even adding another field/label pair in log_review.conf doesn't seem to work for this particular field. get_event_id and map_notable_fields macros are both used in the search.

A restart of Splunk isn't solving the issue.

Your thoughts will be much appreciated!

Gary.

0 Karma
1 Solution

Path Finder

Mapping the value to a unique name, so:

{"field": "duser", "label": "Source Email User"},\

Has seemingly fixed the issue.

View solution in original post

Path Finder

Mapping the value to a unique name, so:

{"field": "duser", "label": "Source Email User"},\

Has seemingly fixed the issue.

View solution in original post

Path Finder

Below is a snip from log_review.conf:

                {"field": "UsedMBytes",                  "label": "Used Megabytes"},\
                {"field": "user",                        "label": "User"},\
                {"field": "User",                        "label": "User"},\
                {"field": "user_group",                  "label": "User Group"},\
                {"field": "user_group_id",               "label": "User Group Identifier"},\

-rw------- 1 splunk splunk 23067 Jan 20 12:32 ./splunk/etc/apps/SA-ThreatIntelligence/local/log_review.conf

As I mentioned, other standard and custom-defined fields are working perfectly, for example "Dest Port", which appears in the same events that "user" does not:

{"field": "dpt", "label": "Dest Port"}\
]

EOF (the trailing backslash is present on the above snip, it's just been stripped by the forum)

Any thoughts on where to look, why to try would be welcomed!

Gary.

0 Karma