Drill down search is not working in Splunk Enterpr...

kausar · ‎09-28-2016

I've made a correlation search that appears to be working fine. But in order to create the contributing event in the notable event, when I use a drilldown search - | datamodel Authentication Authentication search | search Authentication.user="$user$", I see some issues,

1- It is not picking the right $user$, just have "unknown" that is not correct
2- When I click on the contributing event link, it opens the seach page but with default time and not the right date/time range the event happened plus of course the query becomes | datamodel Authentication Authentication search | search Authentication.user="unknown" that I want to fix.

Note that, I have
Drill-down earliest offset set as $info_min_time$
Drill-down latest offset set as $info_max_time$

Please advise.

szabados · ‎11-08-2016

As far as I've experienced, only those fields can be reused in the drill-down search, which are/can be displayed in the "Additional fields" section.

Drill down search is not working in Splunk Enterprise Security Incident Review tab

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

Drill down search is not working in Splunk Enterprise Security Incident Review tab

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA