Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

It is possible to group notable events in Incident Review for Splunk Enterprise Security?

HealyManTech
Explorer
‎09-20-2018 09:08 AM

I have a couple searches that trigger in Incident Review and I want to group them up by count. And than let the drill down show me the detailed information of each event. Does anyone know how to group them?

Reply

HealyManTech
Explorer
‎11-29-2018 02:44 PM

From what I been playing with. There isn't really a way to use the correlation search and stats to group information you want to seen when you expand the event, but you can have the search and group them by a count and break them down by different types. You do this by throttling with the fields to group by.

I have a feeling you can do it different but I was able to get a count of events and with the drill down see the information I wanted to see with the drill down information.

0 Karma
Reply

starcher
Influencer
‎09-20-2018 11:07 AM

This is not a UI feature in ES Incident Review.

0 Karma
Reply

HealyManTech
Explorer
‎09-24-2018 11:53 AM

Not sure how this is an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...