Splunk® Enterprise Security

Administer Splunk Enterprise Security

Add custom fields to add to investigation types in Splunk Enterprise Security

Add custom fields to match your business processes and identify the investigations that might require more attention.

A custom field is a unique label that you can assign to an investigation type in Splunk Enterprise Security. For example, if you want to investigate phishing incidents by tracing the emails back to their sources, you can create a custom field like originating sender and assign the phishing investigation type to it to accelerate the investigation. You can view and edit custom field values for an investigation in the Overview tab.

Create a custom field

Follow these steps to create a custom field:


  1. In Splunk Enterprise Security, select the Configure tab.
  2. Select Findings and Investigations and then select Custom fields.
  3. Select +Custom field to create custom fields for specific investigation types to match your business processes.'.
  4. Give your custom field a name.
  5. Decide whether you want your custom field to be global. Global custom fields apply to all investigations.
  6. (optional) To assign an investigation type to your custom field, select No for Global Field, and then enter the investigation type. You can either enter the name of an existing investigation type or create a new one.
  7. Select a data type, For example, Alpha, Alphanumeric, IP address, Numeric.
  8. Select a field type. If you select Selection for field type, add field values.
  9. Decide whether you want to allow inline editing for the custom field value. Select the Allow inline editing check box to automatically save edits made to the field value in the Overview tab of an investigation. If you deselect the check box, you can still edit the custom field value along with other summary field values.
  10. Select whether or not you want to require a custom field value before closing an investigation. Selecting Yes for Resolution needed requires a user to enter a value for the custom field in the Overview tab of their investigation before they can close the investigation.
  11. Select Confirm.

Manage custom fields

You can manage your existing custom fields in the custom fields table by deleting the ones you no longer want and by reordering the ones you do. You can also edit the properties of a custom field you already created.

The following table identifies the actions to manage custom fields:

Action Steps
Delete Select the trash can icon ( trash can icon ) next to the field you want to delete, and then select Delete to confirm you want to delete it.
Edit Select the pencil icon ( pencil icon ) next to the field you want to edit. You can change any of the properties that you set when you created the custom field.
Reorder Select and drag the move icon ( move icon ) next to the field you want to relocate. You can drop the field anywhere in the table.

See also

For more information on investigation types, see the product documentation:

Last modified on 26 August, 2024
Create investigation types in Splunk Enterprise Security   Create suppression rules for findings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters