Making Dashboard from Incident Review Search or Ma...

Aroot002 · ‎06-28-2021

So I'm sorry if this is a rather stupid question, but I have been thrown into creating a dashboard and I've only taken a couple virtual courses on Splunk and I don't remember this being covered. I know how to create dashboards from searches, however I need to create a dashboard from something I'm pulling up through the incident review search, or if I group the events into an investigation create a dashboard from those results.

Alternatively, is there a way to figure out exactly what the search string of the index review is using, as if there is I would know how to go from there, but I've tried doing searches through the indexes and sources I feel are most commonly used and I can't get the results I get in incident review.

bowesmana · ‎06-28-2021

I assume you're talking about Enterprise Security.

There are a couple of starting points. The `notable` macro will give you notable events from the index.

`notable`

Also if you look in the Security Posture dashboard, you will see the 'Top Notable Events' panel, which has a search you can expand to see where the data is coming from.

Note that the notable macro will take data from the notable index, whereas the es_notable_events takes data from the es_notable_events lookup file.

You can always see what a search containing a macro expands to by pressing Ctrl-Shift-E or Cmd-Shift-E (Mac) and it shows what the full expanded search looks like with no macros.

Hope this gets you started.

Making Dashboard from Incident Review Search or Making Dashboard from Investigation

incident review

investigation

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann