Followup question:
We are only talking about the asset or identity priority. Same with the documentation. http://docs.splunk.com/Documentation/ES/5.1.0/User/Howurgencyisassigned
But we quite often have two identities (user and src_user) and two assets (dest and src) in a notable.
So which one counts?
The documentation says: "If both the asset and identity in the notable event have an assigned priority, the higher priority is used to calculate the urgency. ". So still the question remains: Which asset and which identity?
My guess is that it is always user and dest, but found no information on this till now.
Quite often you would want to use src instead of dest for the calculation, i.e. if your notable uses web proxy logs and the dest is always an external url, which of course has an unknown priority. In this case it is clearly the src that you want to use for urgency calculation. But if it is always dest, the only option you have is to calculate urgency yourself either with an eval or using the urgency lookup in your search to lookup the src.
Any comments on my thoughts? (also submitted this as a question at the above doc page)
... View more