Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Risk based alerting - Contributing Risk Events Drilldown not working?

torstein1
Explorer
‎09-26-2022 05:56 AM

Hi,

I have problems with the drilldown button in the "Risk Event Timeline" view for an Risk Notable.

When expanding Risk rules in the "Risk Event Timeline" view, you can click on a drilldown field named "Contributing events: View contribting events".

This button is disabled with the following message: "View contributing events" link is disabled as there is no drilldown search available for this risk rule.

The Risk rule is configured as a notable and has a drilldown search. 

Does anybody know how to enabled the drilldownsearch in the "Risk Event Timeline" view

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

torstein1
Explorer
‎10-04-2022 05:00 AM

Temporary Solution:
Try setting static values to the following parameters:
action.notable.param.drilldown_earliest_offset
action.notable.param.drilldown_latest_offset.

By doing this it was possible to click the "View contributing events" link.

View solution in original post

Reply
Solved! Jump to solution

chromefinch
Loves-to-Learn Lots
‎10-14-2022 08:52 AM

I added the following to the end of the drill down and made sure the time range was at least the same as the notable run time:
| eval drilldown_latest=_time + 3600
| eval drilldown_earliest=_time - 90000

you also need to make sure you have no mv fields 

0 Karma
Reply
Solved! Jump to solution
Solution

torstein1
Explorer
‎10-04-2022 05:00 AM

Temporary Solution:
Try setting static values to the following parameters:
action.notable.param.drilldown_earliest_offset
action.notable.param.drilldown_latest_offset.

By doing this it was possible to click the "View contributing events" link.

Reply
Solved! Jump to solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎10-03-2022 02:08 AM

Since it seems to me that this isn't currently available I have created an idea on Splunk Ideas. I would appreciate it if you could give it your votes: https://ideas.splunk.com/ideas/ESSID-I-256

Reply
Solved! Jump to solution

sidoyle_
Explorer
‎09-26-2022 06:40 AM

I have the exact same issue, something i have brought up with a couple of contacts within Splunk but have never had an answer on this.

Hopefully your post will get more traction and we get answer.

 

Simon

0 Karma
Reply
Solved! Jump to solution

torstein1
Explorer
‎09-26-2022 06:18 AM

The drilldown button is mentioned in step 7 in this article:
Triage notables on Incident Review in Splunk Enterprise Security - Splunk Documentation

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...