Issue with event_id Not Appearing When Sending Eve...

kn450 · ‎01-15-2025

Description:
Hello,

I am experiencing an issue with the "event_id" field when transferring notable events from Splunk Enterprise Security (ES) to Splunk SOAR.

Details:

When sending the event to SOAR using an Adaptive Response Action (Send to SOAR), the event is sent successfully, but the "event_id" field does not appear in the data received in SOAR.

Any assistance or guidance to resolve this issue would be greatly appreciated.

Thank you

wazza · ‎05-21-2025

Hi @kn450 , @Saba

I have encountered this same issue a few days back and solved it by running a playbook to do a splunk search to create the event_id from the data in my artifact. The macro `get_event_id_meval` is used to create the event id from the indexer_guid, index and event_hash fields, separated by "@@", i.e. indexer_guid@@index@@event_hash.

Is this the best way? Probably not, but it does work and I can always update it should I find a better solution.

See the search below.

index=notable search_name="<your_search_name>" firstTime="xxxx" lastTime="xxxx"
| eval `get_event_id_meval`
| fields event_id

Saba · ‎04-29-2025

Hi @kn450 ,

Having the same issue, did you find a solution for this?

Thank You!

Issue with event_id Not Appearing When Sending Events from Splunk ES to SOAR

using SOAR ⁄ Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation