How to create a query wit top notable event source...

tokio13 · ‎04-21-2022

Hello

Could someone help me with a query?

I have this default report Top Notable Event Sources which returns me IP's (count, sparkline etc). How can I add an extra column to have the hostname of those IP's?

tokio13 · ‎04-21-2022

Yes, for that one

Azeemering · ‎04-21-2022

Then your answer is in my first reply 🙂

tokio13 · ‎04-27-2022

It actually worked only if I mention the Indexer, but that looks to consume quite a lot of resources

Azeemering · ‎04-21-2022

Hi,

You could just add the field host to the search. It will then show under Statistics.
This is for the Search "Notable - Top Notable Event Sources" in Enterprise Security if that is what you mean?

| `es_notable_events` | search timeDiff_type=current src!=unknown | stats sparkline(sum(count),30m) as sparkline,dc(rule_name) as correlation_search_count,dc(security_domain) as security_domain_count,sum(count) as count by src, host
| sort 100 - count,correlation_search_count

How to create a query wit top notable event sources with HOSTNAME?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation