Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Notable Event Custom Fields

ericl42
Path Finder
‎11-30-2018 11:42 AM

I'm working on creating multiple custom correlation rules such as failed logins from one IP, failed logins from multiple srcs, multiple host infections, etc. and in all of them, there will be a "unique_count" field that I always want populated within the Incident Review page under notable events.

By default, it sets count to the field unique_infections, but I want one field to work for all of my rules. So I changed unique_infections to unique_count and came up with the query below that will define unique_count as failures, but it's not showing up correctly. From reading http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Customizenotables, I it seems like as long my variable includes a statistical transformations, which it does, then it should work. Am I missing anything?

Here is my correlation rule.

(index=windows* OR index=unix*) (source=WinEventLog:Security OR sourcetype=linux_secure OR tag=authentication) NOT Result_Code=0x17
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by src user | eval unique_count=failures | table src user successes failures unique_count 
| where failures>10

I recently added the unique_count=failures and table section so when I see the query, it shows me all of the fields i'm truly interested in. Everything is working fine minus unique_count showing up in the Count column under the notable event.

0 Karma
Reply

hettervik_new
Explorer
‎12-14-2022 02:13 AM

Hi. There are a defined list of field names that will show up in Incident Review in Splunk ES. To get a new field added to that list, i.e. "unique_count", you must add it in the list "Incident Review - Event Attributes" under Configure > Incident Management > Incident Review Settings.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...