Splunk Enterprise Security

How to configure Splunk Enterprise Security drill-down earliest offset?

martaBenedetti
Path Finder

Hi,

I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.

I'd like to run the Drill-down  search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.

I'm trying this configuration but seems not to work properly.

martaBenedetti_0-1657698483064.png

Is there a way to do so? Is there a way to set earliest in the Drill-down search?

 

Thanks a lot

Marta

 

 

0 Karma

mbagley
New Member

If you'll forgive the late reply...

I ran into your problem this morning and found a workaround. (And wanted to answer in case someone else runs across this thread in the future, like I did.)

Either leave the "Earliest Offset" value blank, or default, and then hard-code the time you need into your search.

For example, I needed to look back 1 month, so I added the following to my first line:
earliest=-1mon

That solved the issue for me.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@martaBenedetti - Try just using 120

(Basically time period in seconds)

 

I hope this helps!!!

0 Karma

martaBenedetti
Path Finder

Hi @VatsalJagani ,

I've tried setting  in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down.

Thanks anyway

0 Karma

harishalipaka
Motivator

@martaBenedetti 

Time in seconds - 120

Epoch - 7200 (ms)

Try - $info_min_time$-7200

Thanks
Harish
0 Karma

martaBenedetti
Path Finder

Hi @harishalipaka

I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞

martaBenedetti_0-1657802937431.png

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@martaBenedetti - Have you tried:

$info_min_time$ - 2m

 

I hope this helps!!!

0 Karma

martaBenedetti
Path Finder

Hi @VatsalJagani,

it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$.

On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search  with no success since when I click on drill-down this error appears:

martaBenedetti_0-1657782974195.png

 

 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...