Just tried what you suggested but still a no-go 😞
What I have currently:
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
Doesnt appear to run the append because the time field is blank on the resulting search page the workflow opens.
If I click on an event to spawn the incident creation I have the option checked to open the search command workflow in another window to see what it is passing.
After the change you suggested this is what the output is:
| snsecincident short_description "Blah Alert on xxxxxx at " category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
When everything sorta works this is what that result looks like:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH"
... View more