Solved: How to add extra fields from assets list to : Splu...

Pierceyuk · ‎01-28-2014

I have the alert 'Splunk Alert: Audit - Expected Host Not Reporting - Rule' running off the assets list in splunk enterprise security using the default search,however i wanted to include the owner and bunit from the asset file, adding hourDiff worked, but the two extra fields do not(in bold below)?

| `host_eventcount(30,2)` | search is_expected=true | `ctime(lastTime)` | fields +      host,lastTime,is_expected,**hourDiff,dayDiff,owner,bunit** | eval orig_time=_time'

Am I missing something obvious with the query? Do I just need to do a host lookup and return the fields I want as I am not sure how to do this when the lookup list has the hostname as the third or fouth field?

Pierceyuk · ‎02-12-2014

I changed the search to

| `host_eventcount(30,2)` | search is_expected=true

which gave me the field names of host_owner and host_bunit which i added happily into my alerts and they now work

View solution in original post

Pierceyuk · ‎02-12-2014

I changed the search to

| `host_eventcount(30,2)` | search is_expected=true

which gave me the field names of host_owner and host_bunit which i added happily into my alerts and they now work

How to add extra fields from assets list to : Splunk Alert: Audit - Expected Host Not Reporting - Rule

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk