Solved: How to get a notable event's drilldown URL

zyun · ‎08-30-2021

We're currently using Splunk ES, and would like to grab the link to a notable event's drilldown link on the ES Incident Review page without having to manually copy it.

The closest solution that I've come across is automatically building the URL by using a `notable` search and piecing together the earliest/latest times and drilldown search, but I feel like there might be a more elegant solution out there.

zyun · ‎09-17-2021

Found that using the orig_sid in the notable's event fields can provide the indirect link to the drilldown.

Ex. localhost:8000/en-US/app/SplunkEnterpriseSecuritySuite/search?sid=<orig_sid>

View solution in original post

zyun · ‎09-17-2021

Found that using the orig_sid in the notable's event fields can provide the indirect link to the drilldown.

Ex. localhost:8000/en-US/app/SplunkEnterpriseSecuritySuite/search?sid=<orig_sid>

How to get a notable event's drilldown URL

incident review

investigation

notable event

using Enterprise Security

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation