Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why drilldown using all-time in Enterprise Security Incident Review

zksvc
Contributor
‎02-10-2025 08:44 PM

Hi Everyone, in default correlation search the name "Excessive Failed Logins" my drilldown cannot define $info_min_time$ and $info_max_time$ and it make when click drilldown searching in All-Time. If in every correlation search drilldown is matching the time when it trigger in correlation search, why this one searching in All-Time mode?

zksvc_0-1739249084284.png

 

 

 

 

Labels (1)
Labels
Reply

Collthulhu
Engager
‎07-22-2025 03:12 PM

I haven't found a fix, but this is how I've been working around it:

In the detection search, make sure to call addinfo .
Then, you can still use info_min/max_time to filter. You just have to do the filtering yourself.

Examples:

index=StuffYouWant starttimeu=$info_min_time$ endtimeu=$info_max_time$ | ...

 

| from datamodel:"Authentication"."Failed_Authentication" | search  _time>$info_min_time$ _time<$info_max_time$ ...

Reply

Sodaro
Engager
‎07-01-2025 05:18 AM

Were you able to find a fix for this?

 

I'd really hate to have to modify all Detections again after prepping for ES8.

0 Karma
Reply

zksvc
Contributor
‎07-06-2025 08:22 PM

Unfortunately, I haven't found a fix for this yet. 
I hope someone will share the solution so i can mark is as solution and help other people

0 Karma
Reply

LAME-Creations
SplunkTrust
SplunkTrust
‎06-23-2025 08:51 PM

Just for troubleshooting purposes, can you create a brand new event finding (what used to be called correlation search before splunk ES 8? ) 

What I like to do is just check to make sure if this is a problem with just this search or is systemic.  So I make my search something generic like 

index=_internal | head 1 | table index, sourcetype, _time 

Again the above query is just a query that you know will have results each time it runs.  Feel free to make the search anything you want.  Then plug in your drilldown using the same values you applied in your question.  When the alert fires and you click its drilldown, does it go all time or does it use the time selection that you gave it.  

Again this is just to identify if this is a problem for one correlation search or for all of your correlation searches.  This will allow us to get a better idea of what is and what is not working.  

0 Karma
Reply

zksvc
Contributor
‎06-23-2025 08:44 PM

Removed

0 Karma
Reply

StuartMacL
Path Finder
‎03-10-2025 09:27 AM

Did you find the reason for this? 

Since upgrading to ES 8.0.2 all of our Correlation Searchers (Event-driven searches) now use 'All-time' instead of the $info_min_time$ and $info_max_time$ specified in the rule!

Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-10-2025 10:47 PM

Hi @zksvc 

Try adding ` | addinfo` to the end of your search, this will add the info_* fields to the results and should let you use them within your drilldown.

 

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

zksvc
Contributor
‎02-12-2025 09:00 PM

Its added some table like this

info_max_timeinfo_min_timeinfo_search_timeinfo_sid
+Infinity0.00017398492392.991123123412132323

 

Is it because min_time = 0 and max_time = +Infinity? And what would be the solution?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-13-2025 12:44 AM

hmm, Is your ES rule looking at All Time? If so, does it need to? This could chew up quite a bit of resource.

0 Karma
Reply

zksvc
Contributor
‎02-19-2025 07:46 PM

This rule already has a default from Splunk, with the earliest rt-65m@m and latest rt-5m@m timerange. But doesn't the drilldown only follow the time when the event is triggered? 

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...