Splunk Enterprise Security

Creating report for incidents reviewed in Splunk Enterprise Security

adamblock1
Explorer

I am interested in creating a report which shows Enterprise Security Incidents which were updated during a specific time period. It appears that the Enterprise Security app writes incident information to a lookup table. The time of each update is stored in this table with the fieldname "_time".

When searching for "_time", I am not sure how to differentiate between the Splunk "_time" value and the variable stored in this lookup table.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, I believe this documentation page may help -- _time is in locale, time is in GMT.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...