Splunk Enterprise Security

How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti
Path Finder

Hi,

I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.

I'd like to run the Drill-down  search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.

I'm trying this configuration but seems not to work properly.

martaBenedetti_0-1657698483064.png

Is there a way to do so? Is there a way to set earliest in the Drill-down search?

 

Thanks a lot

Marta

 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@martaBenedetti - Try just using 120

(Basically time period in seconds)

 

I hope this helps!!!

0 Karma

martaBenedetti
Path Finder

Hi @VatsalJagani ,

I've tried setting  in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down.

Thanks anyway

0 Karma

harishalipaka
Motivator

@martaBenedetti 

Time in seconds - 120

Epoch - 7200 (ms)

Try - $info_min_time$-7200

Thanks
Harish
0 Karma

martaBenedetti
Path Finder

Hi @harishalipaka

I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞

martaBenedetti_0-1657802937431.png

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@martaBenedetti - Have you tried:

$info_min_time$ - 2m

 

I hope this helps!!!

0 Karma

martaBenedetti
Path Finder

Hi @VatsalJagani,

it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$.

On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search  with no success since when I click on drill-down this error appears:

martaBenedetti_0-1657782974195.png

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...