Splunk Enterprise Security

How do you add an additional “Drill-down Search” in the details of a Notable Event?

Explorer

When you expand the details of a Notable Event in Enterprise Security (ES) 3.x there is a heading called “Contributing Events” that presents a link for the “drill-down search” configured in the Correlated Search that generated the Notable Event.

Does anyone know if it is possible to add an additional “Drill-down Search” to provide another drill-down or alternative search in support of the Notable event?

Thank you.

Splunk Employee
Splunk Employee

As far as I know, it's not possible out of the box. One workaround might be to use a workflow for a specific field that will be in your incident (but it will be available form everywhere).

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!