Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare Notables (Index) vs Investigations

cachexploit
Explorer
‎02-18-2021 10:05 AM

I want to show how many ES Notables were opened in the last 30 days and how many investigations were opened on a line chart.  I can get the notable Index over the last 30 days, no problem but how do I add in the `investigations` to the same line chart?

 

Here is the query I am using for the notables

 

index=notable |bucket _time span=day |stats count by _time

0 Karma
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎02-18-2021 10:15 AM

Does it have to be a line chart? Would the audit dashboards show similar results? 
https://docs.splunk.com/Documentation/ES/6.4.1/User/Audit#Incident_Review_Audit
https://docs.splunk.com/Documentation/ES/6.4.1/User/Audit#Investigation_Overview 

Reply

cachexploit
Explorer
‎02-18-2021 10:24 AM

I have reviewed these and I am trying to combine them in ONE chart.  More of a ROI for Splunk Enterprise.  I want to show on a line chart (or a similar visualization) how many notables are created by ES and how many investigations we start (and eventually show how many we close).

This is basically what I am trying to combine...

index=notable |bucket _time span=day |stats count by _time

AND

| `investigations` earliest="-30d@h" latest="now" | `get_realname(creator)` | fieldformat create_time=strftime(create_time, "%c") | `uitime("mod_time")` | eval _time=create_time, id=title | `investigation_get_current_status` | `investigation_get_collaborator_count` | eval _time=create_time | timechart span=1d count by creator_realname

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...