Splunk Enterprise Security

Edit title of notable event x2

test_qweqwe
Builder
sourcetype=WinEventLog:Security (EventCode=4720) | eval date=strftime(_time, "%Y/%m/%d") |rex "New\sAccount:\s+.*\s+\w+\s\w+:\s+(?<NewAccount>.*)" | rex "Account\sName:\s+(?<SourceAccount>.*)"| stats count by date, NewAccount, SourceAccount, Keywords, host | sort - Date | rename NewAccount as user | rename SourceAccount as src_user

Why $src_user$ and $user$ not show data? What should I do to fix it -> http://prntscr.com/hdt8mm ?

Description: $src_user$ created account $user$ on system $orig_host$
shows as:
Description: Unknown created account unknown on system WIN2012LAB.

0 Karma

micahkemp
Champion

My previous answer did not address the actual issue you're seeing. What you're running into is that your original data has the fields referenced by your description, but your correlation search results did not. Your notable event description needs to only reference fields returned by your correlation search. This may be as simple as adding a BY clause to your tstats search command, assuming your correlation search uses tstats.

For further guidance you might want to post your correlation search and your notable event's drilldown search.

test_qweqwe
Builder

I'm not correctly understand how change my search with BY and tstats.
Can you help?

0 Karma

micahkemp
Champion

Variable substitution for the notable title only occurs (by default) on the builtin ES views. If you want to have the event itself show the substituted values you would have to add that functionality elsewhere. One potential solution is detailed here:

https://answers.splunk.com/answers/544388/how-to-get-or-generate-splunk-es-notable-event-tit.html

There are other solutions as well, but I can't find references to them right now.

test_qweqwe
Builder

As I understand, I need to change code as in your link.
And where I can change it?

0 Karma

hardikJsheth
Motivator

Can you be more specific in what problem are you facing?

0 Karma

niketn
Legend

@test_qweqwe, can you add the code where you are setting the tokens

$src_user$ created account $user$ on system $orig_host$

Also when you display the table with these three fields are they showing correct value? If they are coming from above table can you add some sample data from the output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

test_qweqwe
Builder

They show correct value.
http://prntscr.com/hdtl3i

can you add the code where you are
setting the tokens
What it's mean?

0 Karma

niketn
Legend

You have mentioned in your question that $user$ $orig_host$ and $src_user$ are not getting data. In your existing dashboard you should be setting these tokens somewhere (which in not present in the search query you have shared. So share more details from your code so that we can assist further.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...