- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk App for Enterprise Security 3.3.1: Why are ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enterprise Security 3.3.1, Splunk 6.2.4.
I have notable events being generated by correlation searches (for instance, Short-lived account detected, but there are others). For each notable in the Incident Review dashboard, there are links to View original event and View account change events of $user$ (or whatever is set under the correlation search's "drill-down name"), but rather than being bound to the time of the original event, it's reverting to the default (last 15 minutes in our case) and showing no results.
What should the notable event be keying off of for "event time"?
I'm presuming we should be passing a time field or two from the correlation search to key off of? I want to be able to similarly set earliest and latest default times for custom notables I'm working on, but the only way I can seem to get it to work is to hard code earliest and latest in my search string, which makes it more difficult for my analysts to pick different time boundaries (via zoom, dragging around in the timeline, or using the time picker) .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).
I asked that an enhancement request be submitted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).
I asked that an enhancement request be submitted.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
