Splunk Search

Notable Event Custom Fields

ericl42
Path Finder

I'm working on creating multiple custom correlation rules such as failed logins from one IP, failed logins from multiple srcs, multiple host infections, etc. and in all of them, there will be a "unique_count" field that I always want populated within the Incident Review page under notable events.

By default, it sets count to the field unique_infections, but I want one field to work for all of my rules. So I changed unique_infections to unique_count and came up with the query below that will define unique_count as failures, but it's not showing up correctly. From reading http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Customizenotables, I it seems like as long my variable includes a statistical transformations, which it does, then it should work. Am I missing anything?

Here is my correlation rule.

(index=windows* OR index=unix*) (source=WinEventLog:Security OR sourcetype=linux_secure OR tag=authentication) NOT Result_Code=0x17
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by src user | eval unique_count=failures | table src user successes failures unique_count 
| where failures>10

I recently added the unique_count=failures and table section so when I see the query, it shows me all of the fields i'm truly interested in. Everything is working fine minus unique_count showing up in the Count column under the notable event.

0 Karma

hettervik_new
Explorer

Hi. There are a defined list of field names that will show up in Incident Review in Splunk ES. To get a new field added to that list, i.e. "unique_count", you must add it in the list "Incident Review - Event Attributes" under Configure > Incident Management > Incident Review Settings.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...