Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti
Path Finder
‎07-13-2022 01:00 AM

Hi,

I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.

I'd like to run the Drill-down  search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.

I'm trying this configuration but seems not to work properly.

martaBenedetti_0-1657698483064.png

Is there a way to do so? Is there a way to set earliest in the Drill-down search?

 

Thanks a lot

Marta

 

 

0 Karma
Reply

mbagley
New Member
‎10-14-2024 09:43 AM

If you'll forgive the late reply...

I ran into your problem this morning and found a workaround. (And wanted to answer in case someone else runs across this thread in the future, like I did.)

Either leave the "Earliest Offset" value blank, or default, and then hard-code the time you need into your search.

For example, I needed to look back 1 month, so I added the following to my first line:
earliest=-1mon

That solved the issue for me.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2022 05:04 AM

@martaBenedetti - Try just using 120

(Basically time period in seconds)

 

I hope this helps!!!

0 Karma
Reply

martaBenedetti
Path Finder
‎07-14-2022 05:51 AM

Hi @VatsalJagani ,

I've tried setting  in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down.

Thanks anyway

0 Karma
Reply

harishalipaka
Motivator
‎07-14-2022 04:13 AM

@martaBenedetti 

Time in seconds - 120

Epoch - 7200 (ms)

Try - $info_min_time$-7200

Thanks
Harish
0 Karma
Reply

martaBenedetti
Path Finder
‎07-14-2022 05:49 AM

Hi @harishalipaka

I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞

martaBenedetti_0-1657802937431.png

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-13-2022 11:49 AM

@martaBenedetti - Have you tried:

$info_min_time$ - 2m

 

I hope this helps!!!

0 Karma
Reply

martaBenedetti
Path Finder
‎07-14-2022 12:17 AM

Hi @VatsalJagani,

it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$.

On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search  with no success since when I click on drill-down this error appears:

martaBenedetti_0-1657782974195.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...