Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to label the attributing events additional fields which can associate the correlation search and drill-down search?

jaro
Explorer
‎01-04-2024 06:40 PM

Here are the screenshots:

In incident review setting, I have already labeled signature:

jaro_0-1704421786405.png

Then in Correlation Search content setting, also I have setting the search query which could result in fields with signature. This search can be run normally in search head and show the result I want.

jaro_1-1704421940091.png

But here related to drill-down search or description, this $signature$ can not show in notable of incident review:

jaro_2-1704422095632.png

jaro_3-1704422192557.png

 

May I ask how to solve this issue?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-04-2024 11:53 PM

Hi @jaro,

to see a field in the fields of a Notable (in the Incident Review dashboard) you have to check if this field is displayed in the Notable event (running index=notable search=your_correlation_search),

if not, probably isn't displayed in the output of the correlation search: manually run your correlation search and see if the field is displayed, if not add it to the correlation Search.

One additional hint: don't modify the Correlation Search, but clone it and modify and enable only the cloned one.

If the field is present in the Notable event, you have also to check if it's present in the default visible fields, that you can find these configurations at [Configure > Incident management > Incident Review Settings] in the section Incident Review - Event Attributes.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-04-2024 11:53 PM

Hi @jaro,

to see a field in the fields of a Notable (in the Incident Review dashboard) you have to check if this field is displayed in the Notable event (running index=notable search=your_correlation_search),

if not, probably isn't displayed in the output of the correlation search: manually run your correlation search and see if the field is displayed, if not add it to the correlation Search.

One additional hint: don't modify the Correlation Search, but clone it and modify and enable only the cloned one.

If the field is present in the Notable event, you have also to check if it's present in the default visible fields, that you can find these configurations at [Configure > Incident management > Incident Review Settings] in the section Incident Review - Event Attributes.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jaro
Explorer
‎01-05-2024 01:50 AM

Thanks @gcusello.  ---to check if this field is displayed in the Notable event (running index=notable search=your_correlation_search), yes, I have display the result "signature" in the search I ran. However, the below description can not show the field value "signature" I search in correlation search as $signature$. 

Also I have tried eval other name equal to field signature, still nothing.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-05-2024 02:11 AM

Hi @jaro ,

if the field is in the Notable index, can be displayed.

Did you checked if it's in the visualized fields?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jaro
Explorer
‎01-07-2024 07:39 PM

It's OKAY now. In next triggered notable, it displayed. Thank you @gcusello

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-07-2024 11:18 PM

Hi @jaro ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...