Activity Feed
- Got Karma for Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event?. 06-05-2020 12:48 AM
- Karma Re: Change color of single value visualization for AlexMcDuffMille. 06-05-2020 12:46 AM
- Posted Re: Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event? on Splunk Enterprise Security. 12-17-2016 07:03 AM
- Posted Re: Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 11:00 AM
- Posted Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 10:21 AM
- Tagged Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 10:21 AM
- Tagged Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 10:21 AM
- Tagged Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 10:21 AM
- Tagged Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 10:21 AM
- Tagged Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action? on Splunk Enterprise Security. 12-15-2016 10:21 AM
- Posted Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event? on Splunk Enterprise Security. 11-30-2016 10:10 AM
- Tagged Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event? on Splunk Enterprise Security. 11-30-2016 10:10 AM
- Tagged Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event? on Splunk Enterprise Security. 11-30-2016 10:10 AM
- Tagged Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event? on Splunk Enterprise Security. 11-30-2016 10:10 AM
- Tagged Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event? on Splunk Enterprise Security. 11-30-2016 10:10 AM
Topics I've Started
12-17-2016
07:03 AM
The workaround I found for this is to simply hardcode my default value's into the XML.
<input=...... value="$result.field1$"/>
... View more
12-15-2016
11:00 AM
I'm not trying to add a comment, I'm trying to add a whole new field to the notable
... View more
12-15-2016
10:21 AM
Hi,
I am wondering if it is possible to have my adaptive response actions append fields to the notable which triggered them. I am in a situation where my adaptive response action returns a link, and I would like for that link to be displayed alongside all other interesting fields in the notable.
I followed http://blogs.splunk.com/2015/04/13/how-to-edit-notable-events-in-es-programatically/ and tried to provide the REST API an argument like args['my_link'] and received the following error :
{"message":"ValueError: One of comment, owner, status, urgency is required.","success":false}
Is there anyway to update the notable and append new fields to it based on the results of adaptive response actions?
... View more
11-30-2016
10:10 AM
1 Karma
Hi,
Is it possible to prepopulate an adaptive response action's form from the notable event?
Let's say my notable event has fields:
fielda = 1234
fieldb = 5436
fieldc = 8512
And my alert_props.conf has
param.field1 = $result.fielda$
param.field2 = $result.fieldb$
param.field3 = $result.fieldc$
When someone (via Splunk Enterprise Security) does Actions->Run Adaptive Response Actions, I would expect Splunk to prepopulate the form with the values from the notable event it was selected through. Is this possible?
... View more
