Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Why is the notable event for a user lockout correlation search showing urgency as "Unknown"?

kiran331
Builder
‎07-13-2016 01:11 PM

Hi

The notable event for a user lockout correlation search is showing urgency as "Unknown", I tried changing it to Medium, but that is even showing as "Unknown".

Correlation search using:

| datamodel "Change_Analysis" "Account_Lockouts" search | where 'All_Changes.result_id'=4740 | eval tag=mvjoin(tag,"|") | localop | eval severity=if(severity = "Severe","Medium",severity)| rename "_time" as "orig_time","_raw" as "orig_raw","linecount" as "orig_linecount","eventtype" as "orig_eventtype","splunk_server" as "orig_splunk_server","tag" as "orig_tag","timestartpos" as "orig_timestartpos","timeendpos" as "orig_timeendpos"| fields - date_*,punct | eval const_dedup_id="const_dedup_id"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzel
Communicator
‎07-14-2016 02:06 AM

What version of ES are you using because I also had a problem with this and it was fixed when we updated to 4.0.1 also you can have a look here: http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents#How_urgency_is_assigned_to_notable_... to see how the urgency is calculated.

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzel
Communicator
‎07-14-2016 02:06 AM

What version of ES are you using because I also had a problem with this and it was fixed when we updated to 4.0.1 also you can have a look here: http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents#How_urgency_is_assigned_to_notable_... to see how the urgency is calculated.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...