Splunk Enterprise
Version: 7.1.2
Enterprise Security
Version: 5.1.0
Build: 12
When testing our AR action addon in enterprise security,
we triggered our AR action in ad-hoc fashion and it succeeded,
when we clicked on the link to jump to the result, the search bar is populated as
tag=modaction_result orig_sid=1531348691.763 orig_rid=0 orig_action_name=<our action name>
but, there is no result.
if I removed the tag=modaction_result
part (keeping the rest of query intact), the result showed up and the orig_action_name
is our action name.
if I removed the orig_action_name=<our action name>
part (keeping the rest of query intact), the result showed up as well but the orig_action_name
is notable
.
is this an unknown issue? did i do anything wrong?
Hi there,
Make sure you tag your events so they show up when you run the search using tag as your base search.
To do so start by creating an eventtype
that point to the events showing your action. Then enable the tag modaction_result
on that eventtype. Your results should show !
Cheers,
David
Hi there,
Make sure you tag your events so they show up when you run the search using tag as your base search.
To do so start by creating an eventtype
that point to the events showing your action. Then enable the tag modaction_result
on that eventtype. Your results should show !
Cheers,
David
Define an eventtype with the tag=modaction_result
for your events.
Hi @ee07b291,
I just opened incident review in Splunk ES and clicked on Notable AR and Splunk ran below search and its working fine for me.
tag=modaction_result orig_sid=scheduler__adminuser__SplunkEnterpriseSecuritySuite__RMD5b63c2c552261a7c6_at_1532091600_37891 orig_rid=3 orig_action_name=notable
seems to be due to my version of splunk enterprise security thx for the answers,
Carefully read through this:
http://dev.splunk.com/view/enterprise-security/SP-CAAAFBF