Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with event_id Not Appearing When Sending Events from Splunk ES to SOAR

kn450
Explorer
‎01-15-2025 04:58 AM

Description:
Hello,

I am experiencing an issue with the "event_id" field when transferring notable events from Splunk Enterprise Security (ES) to Splunk SOAR.

Details:

  • When sending the event to SOAR using an Adaptive Response Action (Send to SOAR), the event is sent successfully, but the "event_id" field does not appear in the data received in SOAR.

Any assistance or guidance to resolve this issue would be greatly appreciated.

Thank you

Labels (1)
Labels
Tags (1)
0 Karma
Reply

wazza
Loves-to-Learn Everything
‎05-21-2025 04:21 PM

Hi @kn450 , @Saba 

 

I have encountered this same issue a few days back and solved it by running a playbook to do a splunk search to create the event_id from the data in my artifact. The macro `get_event_id_meval` is used to create the event id from the indexer_guid, index and event_hash fields, separated by "@@", i.e. indexer_guid@@index@@event_hash.

Is this the best way? Probably not, but it does work and I can always update it should I find a better solution.

See the search below.

index=notable search_name="<your_search_name>" firstTime="xxxx" lastTime="xxxx"
| eval `get_event_id_meval`
| fields event_id  

Tags (1)
0 Karma
Reply

Saba
Observer
‎04-29-2025 10:12 AM

Hi @kn450 ,

Having the same issue, did you find a solution for this?

Thank You!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...