Splunk Enterprise Security

How do you add an additional “Drill-down Search” in the details of a Notable Event?

joe_kraxner
Explorer

When you expand the details of a Notable Event in Enterprise Security (ES) 3.x there is a heading called “Contributing Events” that presents a link for the “drill-down search” configured in the Correlated Search that generated the Notable Event.

Does anyone know if it is possible to add an additional “Drill-down Search” to provide another drill-down or alternative search in support of the Notable event?

Thank you.

joe_kraxner
Explorer

Just released in Splunk Enterprise Security 7.2.0, this is now a feature.

  • Splunk Idea ESSID-I-67: Ability to configure multiple drill-down searches for notable

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

As far as I know, it's not possible out of the box. One workaround might be to use a workflow for a specific field that will be in your incident (but it will be available form everywhere).

Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...