- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security: Why is a field in nota...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers.
I have been creating new notable events in Enterprise Security, and for some events, defining my own field names as per this post: https://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm...
Up until now, everything has been going along just fine, but for whatever reason, I cannot get certain fields to show up in the event. For example:
values(duser) as "user" in my search returns a value in the stats table of "user" as "user@mycompany.com", but this does not show up in the notable event using the same search, and calling the variable $user$ in the notification description returns "Unknown".
I have checked in my customized copy of log_review.conf, and the field "user" is correctly defined. Other CIM and custom defined fields work for the same event, and even adding another field/label pair in log_review.conf doesn't seem to work for this particular field. get_event_id and map_notable_fields macros are both used in the search.
A restart of Splunk isn't solving the issue.
Your thoughts will be much appreciated!
Gary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mapping the value to a unique name, so:
{"field": "duser", "label": "Source Email User"},\
Has seemingly fixed the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mapping the value to a unique name, so:
{"field": "duser", "label": "Source Email User"},\
Has seemingly fixed the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is a snip from log_review.conf:
{"field": "UsedMBytes", "label": "Used Megabytes"},\
{"field": "user", "label": "User"},\
{"field": "User", "label": "User"},\
{"field": "user_group", "label": "User Group"},\
{"field": "user_group_id", "label": "User Group Identifier"},\
-rw------- 1 splunk splunk 23067 Jan 20 12:32 ./splunk/etc/apps/SA-ThreatIntelligence/local/log_review.conf
As I mentioned, other standard and custom-defined fields are working perfectly, for example "Dest Port", which appears in the same events that "user" does not:
{"field": "dpt", "label": "Dest Port"}\
]
EOF (the trailing backslash is present on the above snip, it's just been stripped by the forum)
Any thoughts on where to look, why to try would be welcomed!
Gary.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
