Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Making Dashboard from Incident Review Search or Making Dashboard from Investigation

Aroot002
Path Finder
‎06-28-2021 02:42 PM

So I'm sorry if this is a rather stupid question, but I have been thrown into creating a dashboard and I've only taken a couple virtual courses on Splunk and I don't remember this being covered. I know how to create dashboards from searches, however I need to create a dashboard from something I'm pulling up through the incident review search, or if I group the events into an investigation create a dashboard from those results. 

Alternatively, is there a way to figure out exactly what the search string of the index review is using, as if there is I would know how to go from there, but I've tried doing searches through the indexes and sources I feel are most commonly used and I can't get the results I get in incident review.

Labels (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 02:50 PM

I assume you're talking about Enterprise Security.

There are a couple of starting points.  The `notable` macro will give you notable events from the index.

`notable`

 Also if you look in the Security Posture dashboard, you will see the 'Top Notable Events' panel, which has a search you can expand to see where the data is coming from.

Note that the notable macro will take data from the notable index, whereas the es_notable_events takes data from the es_notable_events lookup file.

You can always see what a search containing a macro expands to by pressing Ctrl-Shift-E or Cmd-Shift-E (Mac) and it shows what the full expanded search looks like with no macros.

Hope this gets you started.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...