sourcetype=WinEventLog:Security (EventCode=4720) | eval date=strftime(_time, "%Y/%m/%d") |rex "New\sAccount:\s+.*\s+\w+\s\w+:\s+(?<NewAccount>.*)" | rex "Account\sName:\s+(?<SourceAccount>.*)"| stats count by date, NewAccount, SourceAccount, Keywords, host | sort - Date | rename NewAccount as user | rename SourceAccount as src_user
Why $src_user$ and $user$ not show data? What should I do to fix it -> http://prntscr.com/hdt8mm ?
Description: $src_user$ created account $user$ on system $orig_host$
shows as:
Description: Unknown created account unknown on system WIN2012LAB.
My previous answer did not address the actual issue you're seeing. What you're running into is that your original data has the fields referenced by your description, but your correlation search results did not. Your notable event description needs to only reference fields returned by your correlation search. This may be as simple as adding a BY
clause to your tstats
search command, assuming your correlation search uses tstats
.
For further guidance you might want to post your correlation search and your notable event's drilldown search.
I'm not correctly understand how change my search with BY and tstats.
Can you help?
Variable substitution for the notable title only occurs (by default) on the builtin ES views. If you want to have the event itself show the substituted values you would have to add that functionality elsewhere. One potential solution is detailed here:
https://answers.splunk.com/answers/544388/how-to-get-or-generate-splunk-es-notable-event-tit.html
There are other solutions as well, but I can't find references to them right now.
As I understand, I need to change code as in your link.
And where I can change it?
Can you be more specific in what problem are you facing?
@test_qweqwe, can you add the code where you are setting the tokens
$src_user$ created account $user$ on system $orig_host$
Also when you display the table with these three fields are they showing correct value? If they are coming from above table can you add some sample data from the output?
They show correct value.
http://prntscr.com/hdtl3i
can you add the code where you are
setting the tokens
What it's mean?
You have mentioned in your question that $user$ $orig_host$ and $src_user$ are not getting data. In your existing dashboard you should be setting these tokens somewhere (which in not present in the search query you have shared. So share more details from your code so that we can assist further.