Splunk Enterprise Security

Drill down search is not working in Splunk Enterprise Security Incident Review tab

Path Finder

I've made a correlation search that appears to be working fine. But in order to create the contributing event in the notable event, when I use a drilldown search - | datamodel Authentication Authentication search | search Authentication.user="$user$", I see some issues,

1- It is not picking the right $user$, just have "unknown" that is not correct
2- When I click on the contributing event link, it opens the seach page but with default time and not the right date/time range the event happened plus of course the query becomes | datamodel Authentication Authentication search | search Authentication.user="unknown" that I want to fix.

Note that, I have
Drill-down earliest offset set as $info_min_time$
Drill-down latest offset set as $info_max_time$

Please advise.

Tags (1)
0 Karma


As far as I've experienced, only those fields can be reused in the drill-down search, which are/can be displayed in the "Additional fields" section.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...