Search Notables by Time of Comments

JeffBothel · ‎11-01-2017

In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that a comment is added to a notable that is generated. For example; I want to find all the notable events that I closed in an evening based on me making a comment on that notable during that timeframe instead of when the notable was generated.

smoir_splunk · ‎11-01-2017

You can use the incident_review macro to do this. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

I'm struggling to get answers to accept my super basic example search, so I hope that page is helpful enough for what you need!

Example search:

|`incident_review` |fields comment,reviewer

JeffBothel · ‎11-01-2017

Also it would be nice if I could separate it by the comment creator or other fields that might be attributed as well. For example; find all the notables that I specifically worked on in a given timeframe based on a search that finds all comments I made to notables between a certain amount of time.

lfedak_splunk · ‎11-06-2017

Hey @JeffBothel, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a working solution. We’re hosting a karma point contest, so it’s particularly awesome to up vote on Answers these days. 😄

Search Notables by Time of Comments

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life