Splunk Enterprise Security

Edit title of notable event

test_qweqwe
Builder

I will try again, but with correct tags of my question.
Today I tried many times fix it and zero results.

https://prnt.sc/haawz1 - I need "Stop sending logs from server.host1.local", not "Stop sending logs from ip-10.0.0.16"

When I created correlation search, I put this in title of notable event:
Stop sending logs from $host$

Also, my search:
I have this search:
| metadata type=hosts
| lookup critical_systems Host_name as host OUTPUT Host_name as host
| search host=*
| eval last60=relative_time(now(),"-60m@m")
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged

ip-10.0.0.16 this - IP he takes from default field "host" that not in my lookup critical_systems.

0 Karma
1 Solution

hazekamp
Builder

Long story short is that summary events (including notable events) will have a "host" value of the Splunk server that created the events (typically the search head). As such, any correlation searches that persist a "host" field will be re-mapped to "orig_host" in the resulting summary (notable) event.

The correct title in this case would be:

Stop sending logs from $orig_host$

View solution in original post

hazekamp
Builder

Long story short is that summary events (including notable events) will have a "host" value of the Splunk server that created the events (typically the search head). As such, any correlation searches that persist a "host" field will be re-mapped to "orig_host" in the resulting summary (notable) event.

The correct title in this case would be:

Stop sending logs from $orig_host$

test_qweqwe
Builder

Thanks! Also, where I can get information about it? I parsed documentation, but not found this information.

0 Karma

hazekamp
Builder

I see a number of orig fields referenced here, but not the general concept of how orig mapping works, and certainly not all orig fields. I will mention this to docs.

http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

I don't quite understand your last sentence, however. Where is the IP address coming from? That's coming from the host field of the event enriched by Splunk? As a workaround you could leave Host_name as is and perform your operations on it using that name.

I'm not the best to comment on search construction, however, but it seems like there are other ways it could be improved (such as why is the table and sort relevant?). Is the LastTimeLogged stored in the lookup? It might be better to construct this computation as a lookup and then have the correlation search perform the time comparison? Again, that's mostly a guess.

test_qweqwe
Builder

That's coming from the host field of the event enriched by Splunk?
Yes.

I will try tomorrow what u said.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...