Issue with event_id Not Appearing When Sending Eve...

kn450 · ‎01-15-2025

Description:
Hello,

I am experiencing an issue with the "event_id" field when transferring notable events from Splunk Enterprise Security (ES) to Splunk SOAR.

Details:

When sending the event to SOAR using an Adaptive Response Action (Send to SOAR), the event is sent successfully, but the "event_id" field does not appear in the data received in SOAR.

Any assistance or guidance to resolve this issue would be greatly appreciated.

Thank you

wazza · ‎05-21-2025

Hi @kn450 , @Saba

I have encountered this same issue a few days back and solved it by running a playbook to do a splunk search to create the event_id from the data in my artifact. The macro `get_event_id_meval` is used to create the event id from the indexer_guid, index and event_hash fields, separated by "@@", i.e. indexer_guid@@index@@event_hash.

Is this the best way? Probably not, but it does work and I can always update it should I find a better solution.

See the search below.

index=notable search_name="<your_search_name>" firstTime="xxxx" lastTime="xxxx"
| eval `get_event_id_meval`
| fields event_id

Saba · ‎04-29-2025

Hi @kn450 ,

Having the same issue, did you find a solution for this?

Thank You!

Issue with event_id Not Appearing When Sending Events from Splunk ES to SOAR

using SOAR ⁄ Phantom

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Are you a member of the Splunk Community?