I have the alert 'Splunk Alert: Audit - Expected Host Not Reporting - Rule' running off the assets list in splunk enterprise security using the default search,however i wanted to include the owner and bunit from the asset file, adding hourDiff worked, but the two extra fields do not(in bold below)?
| `host_eventcount(30,2)` | search is_expected=true | `ctime(lastTime)` | fields + host,lastTime,is_expected,**hourDiff,dayDiff,owner,bunit** | eval orig_time=_time'
Am I missing something obvious with the query? Do I just need to do a host lookup and return the fields I want as I am not sure how to do this when the lookup list has the hostname as the third or fouth field?
I changed the search to
| `host_eventcount(30,2)` | search is_expected=true
which gave me the field names of host_owner and host_bunit which i added happily into my alerts and they now work
I changed the search to
| `host_eventcount(30,2)` | search is_expected=true
which gave me the field names of host_owner and host_bunit which i added happily into my alerts and they now work