Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Tokens - Drill Down Search

Sultan77
Loves-to-Learn Lots
‎03-26-2025 05:30 AM

Hello everyone,

I’ve encountered a problem while setting up a correlation search. For instance, when I use the following query:

index=windows AND EventCode=4624

I end up getting multiple alerts. To refine this, I attempted to add a Drill Down Search like this:

index=windows AND EventCode=4624 host="$host$"

However, this returns no results. Does anyone have suggestions or ideas that might help resolve this? Any input would be greatly appreciated!

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-26-2025 08:34 AM

Hi @Sultan77 

I think there may be some confusion in this thread. It sounds like you're creating an Enterprise Security Correlation Search, right? The screenshots you posted where you specify host=$host$ in the DrillDown search is for when a notable event has been created and a security analyst is viewing it. They'll be presented a DrillDown search link designed to help take them to the event(s) which caused the notable to fire. 

Is that your understanding? Is it the drilldown you are wanting to restrict further, rather than the initial correlation search which created the notables? If so you need to find other fields in the returned data that can limit the events returned in the drilldown, such as as eventID.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

Sultan77
Loves-to-Learn Lots
‎03-27-2025 01:01 AM

Dear @livehybrid 

You're right, that's exactly what I'm attempting to do.

As for limiting the events returned, I'm working on specifying something distinctive, like the host that triggered the Event ID or the user involved.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-27-2025 01:19 AM

Hi @Sultan77 ,

if you want to open in drilldown only the events related to the results of the correlation search, you have to insert in the drilldown search a subsearch containing the correlation search.

in other words, if your correlation search lists some hosts, you should use a drilldown search like the following:

<the_same_search_conditions_of_the_correlation_search>
[ search <the_full_correlation_search> | fields host ]

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-26-2025 05:39 AM

Is this in a dashboard?

Are you using Classic SimpleXML or Studio?

Where is the token being set?

0 Karma
Reply

Sultan77
Loves-to-Learn Lots
‎03-26-2025 05:51 AM

Dear @ITWhisperer ,

I am trying to set a correlation search. ( content management -> correlation search)

Sultan77_0-1742993422319.pngSultan77_1-1742993458985.png

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-26-2025 06:37 AM

Hi @Sultan77 ,

you cannot use a token in a Correlation Search, because it is automatically executed and you canno pass to it a parameter.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...