Splunk Enterprise Security

Not all Additional fields showing up under Notable event

neerajs_81
Contributor

Hello,
I have followed https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Customizenotables and created Additional Fields under "Incident Review Settings" page and saved my changes.  Now i am seeing that when a notable is created in Incident Review dashboard,  none of my new additional fields are showing up there.  I have verified when i run the search manually,  those fields are there and there is no typo in their name.

2 Qns

1) Is there a default limit as in  how many additional fields show at the max for a Notable ? The way i see not all fields are showing up.

2) Is there a way to customize which addn. fields to show for which Notable event /Co-relaion search ?

Tags (1)
1 Solution

ro_mc
Path Finder

When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?

If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.

If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.

Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.

Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/notableeventsplunkes/usingnotable...

If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.

http://splunkhost:8000/en-US/debug/refresh

Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.

View solution in original post

ro_mc
Path Finder

When you say "run the search manually", do you mean the correlation search that generates the events, or the REST API SPL search that verifies active Additional Fields (via the link you provided)?

If you haven't done so already, verify the REST API results are what you expect. If not as expected, return to Configure > Incident Management > Incident Review Settings to ensure the additional fields have an appropriate label and the correct field name, then click Done and then Save.

If the REST API results are as expected, ensure that the correlation search outputs the relevant fields. I.e. if you are using a command like stats or transaction, ensure you are including the fields that you want to display in the Additional Fields list.

Next, has the correlation search run recently? If you are looking at data run by an earlier search, you may be retrieving the existing results and/or looking at cached content.

Use the `notable` macro to review index=notable enriched by data in the incident_review KV store. If necessary, review the KV store separately

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/notableeventsplunkes/usingnotable...

If all looks correct and a more recent notable event does not update the fields, try refreshing the Search Head via your equivalent of the following URL, substituting https, hostname and port as necessary.

http://splunkhost:8000/en-US/debug/refresh

Other troubleshooting steps you can try include clearing your browser cache & restarting the browser, trying a different browser, and looking for any Splunk internal logs at the time of the search / notable generation / incident review page view.

Get Updates on the Splunk Community!

This dashboard view is deprecated and will be removed in future versions of Splunk ...

After upgrading to Splunk Enterprise 9.0 I do get the following message from several Dashboard.This dashboard ...

How to ingest a selection of JSON fields

I have a dump.json file that collects events in JSON format:<BR ...

Why getting timeout error while adding data to the Splunk cloud index from REST API?

Hello Team,<BR /><BR />I am getting timeout error while adding data to Splunk cloud index from REST API. I am ...