Splunk Search

Why are my correlation search fields missing from the notable events?

hettervik_new
Explorer

I have a correlation search in Splunk ES that does some statistics, and return a table with the events; "src_ip", "dest_ip", "count", "latest", "action", "app", "src", "dest", and "dest_port". The search looks something  like the following.

| tstats count latest(_time) as latest values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.src) as src values(All_Traffic.dest) as dest values(All_Traffic.dest_port) as dest_port from datamodel=Network_Traffic where All_Traffic.dest_ip=1.2.3.4 by All_Traffic.src_ip All_Traffic.dest_ip
| rename All_Traffic.* as *

When this correlation search triggers it writes an event to the notable index, and that notable event contains the fields that are outputed from the search, except src_ip and dest_ip. Note that I'm talking about the notable index here, not the incidents showing in the Incident Review.

I've looked in the documentation for an explanation of this behaviour, but can't find anything. Can someone explain to me how Splunk picks which fields are to be written to the notable index events, and if possible, how one can force Splunk to write all fields from the search to the notable index?

Labels (2)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...