- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Variable substitution not working in correlation s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a correlation search for detecting when host stops sending logs. I enabled the search and set the title as below but when I receive the notables, my results show the hostname of the search head as the $host$ instead of the actual host who stopped sending logs. When I expand the notable, it does show the correct host under the "Additional Fields" section, just not in the title of the notable. The $Latest_Time$ doesn't work either, I'm not sure if it's possible to even use that or what I would have to put so it shows the Latest_Time / Last Time Reported field. Any help would be greatly appreciated!
Title of correlation search:
"Host $host$ stopped sending logs since $Latest_Time$"
Query:
| metadata type=hosts index=*| where relative_time(now(), "-1d") > lastTime AND lastTime > relative_time(now(), "-90d") | convert ctime(lastTime) as Latest_Time | sort -lastTime | table host,Latest_Time | lookup asset_lookup_by_str nt_host AS host OUTPUTNEW priority AS priority,bunit AS bunit |rename Latest_Time AS "Last Time Reported"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it looks like the issue was that I needed to use $orig_host$ to get the original host from the actual events. $host$ was just getting the search head hostname (maybe due to the metadata command?).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tromero3 I ran into the very same issue with $host$ not working . Pls advise how did you come up with $orig_host$ field ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it looks like the issue was that I needed to use $orig_host$ to get the original host from the actual events. $host$ was just getting the search head hostname (maybe due to the metadata command?).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure why $host$ is not working, but $Latest_Time$ doesn't work because there is no such field. It's renamed to $Last Time Reported$.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay I changed the $Latest_Time$ to $Last Time Reported$ and that part is now fixed. Thank you!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
