Splunk Search

Notable Event Custom Fields

ericl42
Path Finder

I'm working on creating multiple custom correlation rules such as failed logins from one IP, failed logins from multiple srcs, multiple host infections, etc. and in all of them, there will be a "unique_count" field that I always want populated within the Incident Review page under notable events.

By default, it sets count to the field unique_infections, but I want one field to work for all of my rules. So I changed unique_infections to unique_count and came up with the query below that will define unique_count as failures, but it's not showing up correctly. From reading http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Customizenotables, I it seems like as long my variable includes a statistical transformations, which it does, then it should work. Am I missing anything?

Here is my correlation rule.

(index=windows* OR index=unix*) (source=WinEventLog:Security OR sourcetype=linux_secure OR tag=authentication) NOT Result_Code=0x17
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by src user | eval unique_count=failures | table src user successes failures unique_count 
| where failures>10

I recently added the unique_count=failures and table section so when I see the query, it shows me all of the fields i'm truly interested in. Everything is working fine minus unique_count showing up in the Count column under the notable event.

0 Karma

hettervik_new
Explorer

Hi. There are a defined list of field names that will show up in Incident Review in Splunk ES. To get a new field added to that list, i.e. "unique_count", you must add it in the list "Incident Review - Event Attributes" under Configure > Incident Management > Incident Review Settings.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...