Splunk Enterprise Security

Cannot jump to Ad-Hoc AR action result, 'orig_action_name' changed when 'tag=modaction_result' is applied

ee07b291
Explorer

Splunk Enterprise
Version: 7.1.2

Enterprise Security
Version: 5.1.0
Build: 12

When testing our AR action addon in enterprise security,

we triggered our AR action in ad-hoc fashion and it succeeded,

when we clicked on the link to jump to the result, the search bar is populated as

tag=modaction_result orig_sid=1531348691.763 orig_rid=0 orig_action_name=<our action name>

but, there is no result.

if I removed the tag=modaction_result part (keeping the rest of query intact), the result showed up and the orig_action_name is our action name.
if I removed the orig_action_name=<our action name> part (keeping the rest of query intact), the result showed up as well but the orig_action_name is notable.

is this an unknown issue? did i do anything wrong?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi there,

Make sure you tag your events so they show up when you run the search using tag as your base search.

To do so start by creating an eventtype that point to the events showing your action. Then enable the tag modaction_result on that eventtype. Your results should show !

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi there,

Make sure you tag your events so they show up when you run the search using tag as your base search.

To do so start by creating an eventtype that point to the events showing your action. Then enable the tag modaction_result on that eventtype. Your results should show !

Cheers,
David

0 Karma

back2root
Path Finder

Define an eventtype with the tag=modaction_result for your events.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Hi @ee07b291,

I just opened incident review in Splunk ES and clicked on Notable AR and Splunk ran below search and its working fine for me.

tag=modaction_result orig_sid=scheduler__adminuser__SplunkEnterpriseSecuritySuite__RMD5b63c2c552261a7c6_at_1532091600_37891 orig_rid=3 orig_action_name=notable
————————————
If this helps, give a like below.
0 Karma

ee07b291
Explorer

seems to be due to my version of splunk enterprise security thx for the answers,

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...