Splunk Enterprise Security

Is it possible to generate a "ticket number" style reference for a notable event?

New Member

I'd like each notable event that is raised in ES to have a unique "ticket number" style reference, automatically incrementing as events are raised - along the same kind of lines as ticket reference numbers that are created in systems like ServiceNow when a ticket is raised.

I appreciate that the event_id field is a unique reference for each notable but it's not user friendly enough to be used as a point of reference between multiple analysts

Is there a way to achieve what I am looking for?

0 Karma


For now, I would check out the "Share Notable Event" action in the Actions dropdown per notable event. This produces direct hyperlinks to the notable event with a copy-clipboard option. While not a "ticket number", this link can be distributed in digital-friendly ways:


alt text


You could build a lookup process, which would link the event_id to a more user-friendly ticket number. I am sure that it could be automated with a python script, or some other form of scripting.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...