Splunk® Enterprise Security

Administer Splunk Enterprise Security

Modify the fields for findings in Splunk Enterprise Security

Modify the fields for findings so that you can customize the display of these fields on the Mission Control page in Splunk Enterprise Security. For example, change the label of a field, remove a field, or add a field to the Additional Fields section of the finding details. Changes that you make to the fields impact all findings.

Follow these steps to modify the fields for findings in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Findings and investigations and then select Field values for findings.
  3. Select Edit to change a field or the label for a specific field to modify how it is displayed on the Mission Control page.
  4. Select Remove to remove a field from the finding details on the Mission Control page.
  5. Select Save.

Add a field to the finding details

A field appears in the Additional fields of the finding details on the Mission Control page, if the field exists in the detection search results. To add a field to the finding details, ensure that the detection results include the field and then ensure that the Mission Control page displays the field.

Follow these steps to add a field to the finding details and the Mission Control page:

Determine if the field you want to see is included in the detection search results by running the detection on the Search page to review the output or the search syntax.

  • If the field exists in the search results, add the field to the list of additional fields.
  • If the field does not exist in the search results, modify the detection search processing language (SPL) query to include the field.


Modify the detection SPL to include the field

Follow these steps to modify the detection SPL to include the field:

  1. Edit the search.
    1. If you created the search manually, modify the detection SPL to extract the fields. Make sure that you do not modify the correlation criteria when you modify the detection.
    2. If you did not create the search manually, add the field as an aggregate function with an alias. Use the values function to return all possible values of a given field, or the latest function to return the most recent value for the field.
  2. Extract fields.
    1. If the detection includes statistical transformations, extract the fields when you perform the statistical transformation.
    2. If the detection does not include statistical transformations, add | fields + newfieldname to the end of the SPL, where newfieldname is the name of the new field you want to see in the additional details.
  3. Verify changes to detection on the Search page before saving them.

Add the field to the list of additional fields

Follow these steps to add the field to the list of additional fields:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Findings and investigations.
  3. Select Field values for findings.
  4. Select Add field to add the new field to the Additional Fields section of the finding details.
  5. In the Edit event attribute dialog, enter a Field to match the field that you want to appear in the finding details.
  6. Enter a Label to use as the display name of the field in the finding details.
  7. Select Save.

SPL search to verify the additional fields

Use the following search to get a list of all of the active Additional fields.

| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review | fields event_attributes | eval d=split(event_attributes, "},") | rex field=d max_match=0 "field\"\s*:\s*\"(?<field>[^\"]+)" | rex field=d max_match=0 "label\"\s*:\s*\"(?<label>[^\"]+)" | eval mv=mvzip(field,label) | fields mv | mvexpand mv | eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1) | table field, label

A truncated example response follows.

field label
action Action
app Application
bytes_in Bytes In
bytes_out Bytes Out
category Category
change_type Change Type
channel Channel
command Command
cpu_load_percent CPU Load (%)
creator Creator
creator_realname Creator Realname
cve CVE
decoration Decoration
desc Description
dest Destination
dest_threatlist_category Destination Threat List Category
dest_threatlist_description Destination Threat List Description
dest_threatlist_name Destination Threat List Name
dest_bunit Destination Business Unit
dest_category Destination Category

Find findings based on calculated eval fields

You can find findings using the Search bar of the Mission Control page by filtering on specific fields such as src and dest that exist in the finding. However, you might not find findings by filtering on search time calculated eval fields such as event_hash or event_id.

This is because the Search bar on the Mission Control page supports search for freeform keyword or text, which might not apply to all the information on the Mission Control page. Search time calculated eval fields are not directly searchable.

As a workaround, you can retrieve the findings using the search bar by filtering based on fully qualified SPL syntax.

For example, if you want to search findings with entities that contain foobarbaz, you can use entity="foobarbaz" or entity="foobarbaz*"

See also

For more information on fields in findings, see the product documentation:

Configure findings manually to track specific fields in Splunk Enterprise Security

Last modified on 26 August, 2024
Create suppression rules for findings in Splunk Enterprise Security   Configure the status of findings and investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters