Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti
Path Finder
‎07-13-2022 01:00 AM

Hi,

I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.

I'd like to run the Drill-down  search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.

I'm trying this configuration but seems not to work properly.

martaBenedetti_0-1657698483064.png

Is there a way to do so? Is there a way to set earliest in the Drill-down search?

 

Thanks a lot

Marta

 

 

0 Karma
Reply

mbagley
New Member
‎10-14-2024 09:43 AM

If you'll forgive the late reply...

I ran into your problem this morning and found a workaround. (And wanted to answer in case someone else runs across this thread in the future, like I did.)

Either leave the "Earliest Offset" value blank, or default, and then hard-code the time you need into your search.

For example, I needed to look back 1 month, so I added the following to my first line:
earliest=-1mon

That solved the issue for me.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2022 05:04 AM

@martaBenedetti - Try just using 120

(Basically time period in seconds)

 

I hope this helps!!!

0 Karma
Reply

martaBenedetti
Path Finder
‎07-14-2022 05:51 AM

Hi @VatsalJagani ,

I've tried setting  in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down.

Thanks anyway

0 Karma
Reply

harishalipaka
Motivator
‎07-14-2022 04:13 AM

@martaBenedetti 

Time in seconds - 120

Epoch - 7200 (ms)

Try - $info_min_time$-7200

Thanks
Harish
0 Karma
Reply

martaBenedetti
Path Finder
‎07-14-2022 05:49 AM

Hi @harishalipaka

I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞

martaBenedetti_0-1657802937431.png

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-13-2022 11:49 AM

@martaBenedetti - Have you tried:

$info_min_time$ - 2m

 

I hope this helps!!!

0 Karma
Reply

martaBenedetti
Path Finder
‎07-14-2022 12:17 AM

Hi @VatsalJagani,

it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$.

On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search  with no success since when I click on drill-down this error appears:

martaBenedetti_0-1657782974195.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...