Splunk Enterprise Security

Not all Additional fields showing up under Notable event

neerajs_81
Builder

Hello,
I have followed https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Customizenotables and created Additional Fields under "Incident Review Settings" page and saved my changes.  Now i am seeing that when a notable is created in Incident Review dashboard,  none of my new additional fields are showing up there.  I have verified when i run the search manually,  those fields are there and there is no typo in their name.

2 Qns

1) Is there a default limit as in  how many additional fields show at the max for a Notable ? The way i see not all fields are showing up.

2) Is there a way to customize which addn. fields to show for which Notable event /Co-relaion search ?

Tags (1)
1 Solution

ro_mc
Path Finder

When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?

If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.

If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.

Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.

Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/notableeventsplunkes/usingnotable...

If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.

http://splunkhost:8000/en-US/debug/refresh

Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.

View solution in original post

ro_mc
Path Finder

When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?

If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.

If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.

Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.

Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/notableeventsplunkes/usingnotable...

If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.

http://splunkhost:8000/en-US/debug/refresh

Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.

Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...