×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
othmanexd
New Member
Member since: ‎03-02-2021
‎03-02-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-02-2021
View All

Re: Access Notable event_id from an correlated sea...

by in Splunk Enterprise Security
‎03-02-2021 05:41 PM
‎03-02-2021 05:41 PM
So what I basically have is an integration between splunk/phantom/servicenow where Splunk forwards correlated search events to phantom using the "Phantom App-on" with the Event forwarding feature and then phantom executes a playbook to create a Servicenow Ticket. What I want to do is update the "comment" field for each Notable Event in ES that is associated with the "Correlated search event" that was pushed from Splunk to phantom with the ticket number that was created. So I'm trying to figure out if there is a shared value that's in both the "Notable event" and "Correlated Search Event" so I can link the two and update the "Notable Event" comments field. Maybe there is a better approach to doing this?  ... View more

Access Notable event_id from an correlated search ...

by in Splunk Enterprise Security
‎03-02-2021 12:59 PM
‎03-02-2021 12:59 PM
Since a notable event is generated from a correlated search event, is there a way to output the notable event "event_id" from the correlated search event? I have a use case where I need to update notable event fields that's associated with a specific correlated search event. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-02-2021 10:06 PM