Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Tokens in notable event titles and description...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tokens in notable event titles and descriptions not getting expanded to include the values of the tokens on the Incident
Tokens in notable event titles and descriptions not getting expanded to include the values of the tokens on the Incident Review dashboard, though the search Time extractions does exists in the notable event
Example:-
My Notable Event Title Contains the following text
Suspicious activity detected from User $UserId$
Expected Output for Title in Incident Review Dashboard
Suspicious activity detected from User XYZ
How the Title Column gets displayed in Incident Review dashboard
Suspicious activity detected from User $UserId$
However, the extractions does work for built-in extractions or fields like sourcetype etc. Tokens work with few extractions, and not with few even though both of the search time extractions does exists in the notable events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We faced same and got fixed with ES 6.6.1 +hot fix splunk provided
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pls ensure the underlying correlation search returns a valid value for UserId, as this will be used in the Incident review screen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes........... We do get valid result when we run the search (correlation search) in Splunk, only Incident Review dashboard does have challenge to expand the token values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where in Incident Review dashboard, do you see the issue? In title, description, notable? Generally all these should work with $fieldname$. If its in the Incident review field values pane, then ensure the field is available as described in https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue is seen within Tilte (rule_title) and Description fields of Incident Review dashboard... the notable event does have all the data expanded properly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your ES version and Splunk enterprise version.? I have n't seen this issue in ES 5.3.1, 6.x. You may also want to raise a case with support, if its only occurring on specific version.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
