Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Listing incident review and the closing comments

Enterprise Security

Description

Submitted by Opeyemi Olatunji

2 0 
index=_audit sourcetype="incident_review"
| table rule_name comment status
| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status
| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))
| dedup "Closing Comment"

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom