Hello, Thanks for your help. I walked through the article you suggested without seeing any issue: - scheduled search results - Events are well in notable (also checked for removal action but none) - Checked the alerts generation: - Checked the output : simple multiple fields, no xml or any other huge field's values. - And more globally, nothing but INFO level in _internal I find out that 2 correlation searches had a double-quote in a variable in action.notable.param.rule_description (e.g. $"variable$) but it has particular no effect on the parsing, as it didn't solve the problem. Checking two searches, one working , one not, I didn't notice any noticable difference in the naming, special caracters or configuration options.. The working example has no drilldown, but found others working with it and without particular differenceon this. At this point, it would be very helpful to know the search executed to populate the dropdown list... Example: Working: [Threat - [C0005] [\w\s]+ - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = [C0005] [\w\s]+
action.customsearchbuilder.enabled = false
action.customsearchbuilder.spec = {}
action.email = 1
action.email.format = table
action.email.inline = 1
action.email.sendcsv = 1
action.email.sendresults = 1
action.email.subject = [C0005] [\w\s]+
action.email.to = emain@address
action.notable = 1
action.notable.param.next_steps = {"version":1,"data":\w+}
action.notable.param.recommended_actions = [\w,]+
action.notable.param.rule_description = [\w\s]+
action.notable.param.rule_title = [C0005][\[\]\w\s()$]+
action.notable.param.security_domain = threat
action.notable.param.severity = high
action.notable.param.verbose = 0
alert.suppress = 1
alert.suppress.fields = <suppressed_ield>
alert.suppress.period = 86400s
alert.track = 0
counttype = number of events
cron_schedule = */5 * * * *
description = [()\w\s]+
disabled = 1
dispatch.earliest_time = -10m@m
dispatch.latest_time = -5m@m
dispatch.rt_backfill = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = SplunkEnterpriseSecuritySuite
search = <search> - Not working: [Threat - [C0804] [\w\s]+ - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = [C0804] [\w\s]+
action.customsearchbuilder.enabled = false
action.customsearchbuilder.spec = {}
action.notable = 1
action.notable.param.drilldown_name = [\w\s]+
action.notable.param.drilldown_search = <search>
action.notable.param.recommended_actions = [\w,]+
action.notable.param.rule_description = [\w\s]+
action.notable.param.rule_title = [\[\]\w\s()$]+
action.notable.param.security_domain = threat
action.notable.param.severity = high
action.notable.param.verbose = 0
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 8-59/5 * * * *
description = [\w\s]+
dispatch.earliest_time = -10m@m
dispatch.latest_time = -5m@m
dispatch.rt_backfill = 1
enableSched = 1
quantity = 0
realtime_schedule = 0
relation = greater than
request.ui_dispatch_app = SplunkEnterpriseSecuritySuite
search = <search>
... View more
