Splunk Enterprise Security

Risk based alerting - Contributing Risk Events Drilldown not working?

torstein1
Explorer

Hi,

I have problems with the drilldown button in the "Risk Event Timeline" view for an Risk Notable.

When expanding Risk rules in the "Risk Event Timeline" view, you can click on a drilldown field named "Contributing events: View contribting events".

This button is disabled with the following message: "View contributing events" link is disabled as there is no drilldown search available for this risk rule.

The Risk rule is configured as a notable and has a drilldown search. 

Does anybody know how to enabled the drilldownsearch in the "Risk Event Timeline" view

 

Labels (1)
1 Solution

torstein1
Explorer

Temporary Solution:
Try setting static values to the following parameters:
action.notable.param.drilldown_earliest_offset
action.notable.param.drilldown_latest_offset.

By doing this it was possible to click the "View contributing events" link.

View solution in original post

chromefinch
Loves-to-Learn Lots

I added the following to the end of the drill down and made sure the time range was at least the same as the notable run time:
| eval drilldown_latest=_time + 3600
| eval drilldown_earliest=_time - 90000

you also need to make sure you have no mv fields 

0 Karma

torstein1
Explorer

Temporary Solution:
Try setting static values to the following parameters:
action.notable.param.drilldown_earliest_offset
action.notable.param.drilldown_latest_offset.

By doing this it was possible to click the "View contributing events" link.

mbjerkeland_spl
Splunk Employee
Splunk Employee

Since it seems to me that this isn't currently available I have created an idea on Splunk Ideas. I would appreciate it if you could give it your votes: https://ideas.splunk.com/ideas/ESSID-I-256

sidoyle_
Explorer

I have the exact same issue, something i have brought up with a couple of contacts within Splunk but have never had an answer on this.

Hopefully your post will get more traction and we get answer.

 

Simon

0 Karma

torstein1
Explorer

The drilldown button is mentioned in step 7 in this article:
Triage notables on Incident Review in Splunk Enterprise Security - Splunk Documentation

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...