How to create a query wit top notable event source...

tokio13 · ‎04-21-2022

Hello

Could someone help me with a query?

I have this default report Top Notable Event Sources which returns me IP's (count, sparkline etc). How can I add an extra column to have the hostname of those IP's?

tokio13 · ‎04-21-2022

Yes, for that one

Azeemering · ‎04-21-2022

Then your answer is in my first reply 🙂

tokio13 · ‎04-27-2022

It actually worked only if I mention the Indexer, but that looks to consume quite a lot of resources

Azeemering · ‎04-21-2022

Hi,

You could just add the field host to the search. It will then show under Statistics.
This is for the Search "Notable - Top Notable Event Sources" in Enterprise Security if that is what you mean?

| `es_notable_events` | search timeDiff_type=current src!=unknown | stats sparkline(sum(count),30m) as sparkline,dc(rule_name) as correlation_search_count,dc(security_domain) as security_domain_count,sum(count) as count by src, host
| sort 100 - count,correlation_search_count

How to create a query wit top notable event sources with HOSTNAME?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

How to create a query wit top notable event sources with HOSTNAME?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...