I am interested in creating a report which shows Enterprise Security Incidents which were updated during a specific time period. It appears that the Enterprise Security app writes incident information to a lookup table. The time of each update is stored in this table with the fieldname "_time".
When searching for "_time", I am not sure how to differentiate between the Splunk "_time" value and the variable stored in this lookup table.
Hi, I believe this documentation page may help -- _time is in locale, time is in GMT.