topic Re: How to configure Splunk Enterprise Security Drill-down Earliest Offset in Splunk Enterprise Security

How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti — Wed, 13 Jul 2022 19:23:21 GMT

Hi,

I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.

I'd like to run the Drill-down search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.

I'm trying this configuration but seems not to work properly.

Is there a way to do so? Is there a way to set earliest in the Drill-down search?

Thanks a lot

Marta

Re: How to configure Splunk Enterprise Security Drill-down Earliest Offset

VatsalJagani — Wed, 13 Jul 2022 18:49:26 GMT

@martaBenedetti - Have you tried:

$info_min_time$ - 2m

I hope this helps!!!

Re: How to configure Splunk Enterprise Security Drill-down Earliest Offset

martaBenedetti — Thu, 14 Jul 2022 07:17:41 GMT

Hi @VatsalJagani,

it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$.

On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search with no success since when I click on drill-down this error appears:

Re: How to configure Splunk Enterprise Security drill-down earliest offset?

harishalipaka — Thu, 14 Jul 2022 12:06:23 GMT

@martaBenedetti

Time in seconds - 120

Epoch - 7200 (ms)

Try - $info_min_time$-7200

Re: How to configure Splunk Enterprise Security drill-down earliest offset?

VatsalJagani — Thu, 14 Jul 2022 12:04:01 GMT

@martaBenedetti - Try just using 120

(Basically time period in seconds)

I hope this helps!!!

Re: How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti — Thu, 14 Jul 2022 12:49:36 GMT

Hi @harishalipaka

I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞

Re: How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti — Thu, 14 Jul 2022 12:51:50 GMT

Hi @VatsalJagani ,

I've tried setting in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down.

Thanks anyway

Re: How to configure Splunk Enterprise Security drill-down earliest offset?

mbagley — Mon, 14 Oct 2024 16:43:46 GMT

If you'll forgive the late reply...

I ran into your problem this morning and found a workaround. (And wanted to answer in case someone else runs across this thread in the future, like I did.)

Either leave the "Earliest Offset" value blank, or default, and then hard-code the time you need into your search.

For example, I needed to look back 1 month, so I added the following to my first line:
earliest=-1mon

That solved the issue for me.