Splunk Search

Notable Event Custom Fields

ericl42
Path Finder

I'm working on creating multiple custom correlation rules such as failed logins from one IP, failed logins from multiple srcs, multiple host infections, etc. and in all of them, there will be a "unique_count" field that I always want populated within the Incident Review page under notable events.

By default, it sets count to the field unique_infections, but I want one field to work for all of my rules. So I changed unique_infections to unique_count and came up with the query below that will define unique_count as failures, but it's not showing up correctly. From reading http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Customizenotables, I it seems like as long my variable includes a statistical transformations, which it does, then it should work. Am I missing anything?

Here is my correlation rule.

(index=windows* OR index=unix*) (source=WinEventLog:Security OR sourcetype=linux_secure OR tag=authentication) NOT Result_Code=0x17
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by src user | eval unique_count=failures | table src user successes failures unique_count 
| where failures>10

I recently added the unique_count=failures and table section so when I see the query, it shows me all of the fields i'm truly interested in. Everything is working fine minus unique_count showing up in the Count column under the notable event.

0 Karma

hettervik_new
Explorer

Hi. There are a defined list of field names that will show up in Incident Review in Splunk ES. To get a new field added to that list, i.e. "unique_count", you must add it in the list "Incident Review - Event Attributes" under Configure > Incident Management > Incident Review Settings.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...