Re: How to configure Splunk Enterprise Security dr...

martaBenedetti · ‎07-13-2022

Hi,

I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.

I'd like to run the Drill-down search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.

I'm trying this configuration but seems not to work properly.

Is there a way to do so? Is there a way to set earliest in the Drill-down search?

Thanks a lot

Marta

VatsalJagani · ‎07-14-2022

@martaBenedetti - Try just using 120

(Basically time period in seconds)

I hope this helps!!!

martaBenedetti · ‎07-14-2022

Hi @VatsalJagani ,

I've tried setting in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down.

Thanks anyway

harishalipaka · ‎07-14-2022

@martaBenedetti

Time in seconds - 120

Epoch - 7200 (ms)

Try - $info_min_time$-7200

Thanks
Harish

martaBenedetti · ‎07-14-2022

Hi @harishalipaka

I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞

VatsalJagani · ‎07-13-2022

@martaBenedetti - Have you tried:

$info_min_time$ - 2m

I hope this helps!!!

martaBenedetti · ‎07-14-2022

Hi @VatsalJagani,

it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$.

On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search with no success since when I click on drill-down this error appears:

How to configure Splunk Enterprise Security drill-down earliest offset?

correlation search

incident review

investigation

notable event

using Enterprise Security

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...