Splunk Enterprise Security

notables relation with device events


Is there any way that a notable is linked to the events that generated it?

0 Karma


At the end of the correlation search, add "| map_notable_fields" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

The below link can be referred for the same as well.


Thank you for the answer. What I am interested in, is if there is any (default) way that the notable is linked to the events that generated it. Without any action from correlation search author. (without defining a drilldown for example)

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...