I have this search:
| metadata type=hosts
| lookup critical_systems Host_name as host OUTPUT Host_name as host
| search host=*
| eval last60=relative_time(now(),"-60m@m")
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged
The name of my notable event:
Stop sending logs from $host$
And results in "Incident Review":
http://prntscr.com/haawz1 i wanna this name that I marked by red color in main name of my notable event
And in ur opinion which fields will be good to add to this notable event?
Hi test_qweqwe,
to change font color you have to customize CSS.
In Splunk 7.x Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) , you can find some examples to highlight or color a cell event.
Bye.
Giuseppe
I'm not correct said, i need another.
Okay, we have in notable event "Additional Fields" -> "Host" which have name - server_host1.local and I wanna this name in Title of notable event
I need "Stop sending logs from server_host1.local", not "Stop sending logs from ip-10.0.0.16"
Let me understand: when you speak of Notable Events are you speaking of Enterprise Security or Splunk Enterprise?
If Enterprise Security, sorry but I cannot help you.
If Splunk Enterprise, the question is: where is host field with the real hostname?
I see in your search three host fields: host, host1 and Host_name, identify which is the field with the real hostname and use it.
Bye.
Giuseppe
It's Enterprise Security 😞
Sorry!
I had this doubt but it isn't in question tags.
Have a good luck!.
Bye.
Giuseppe