Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Risk based alerting - Contributing Risk Events Drilldown not working?

torstein1
Explorer
‎09-26-2022 05:56 AM

Hi,

I have problems with the drilldown button in the "Risk Event Timeline" view for an Risk Notable.

When expanding Risk rules in the "Risk Event Timeline" view, you can click on a drilldown field named "Contributing events: View contribting events".

This button is disabled with the following message: "View contributing events" link is disabled as there is no drilldown search available for this risk rule.

The Risk rule is configured as a notable and has a drilldown search. 

Does anybody know how to enabled the drilldownsearch in the "Risk Event Timeline" view

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

torstein1
Explorer
‎10-04-2022 05:00 AM

Temporary Solution:
Try setting static values to the following parameters:
action.notable.param.drilldown_earliest_offset
action.notable.param.drilldown_latest_offset.

By doing this it was possible to click the "View contributing events" link.

View solution in original post

Reply
Solved! Jump to solution

chromefinch
Loves-to-Learn Lots
‎10-14-2022 08:52 AM

I added the following to the end of the drill down and made sure the time range was at least the same as the notable run time:
| eval drilldown_latest=_time + 3600
| eval drilldown_earliest=_time - 90000

you also need to make sure you have no mv fields 

0 Karma
Reply
Solved! Jump to solution
Solution

torstein1
Explorer
‎10-04-2022 05:00 AM

Temporary Solution:
Try setting static values to the following parameters:
action.notable.param.drilldown_earliest_offset
action.notable.param.drilldown_latest_offset.

By doing this it was possible to click the "View contributing events" link.

Reply
Solved! Jump to solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎10-03-2022 02:08 AM

Since it seems to me that this isn't currently available I have created an idea on Splunk Ideas. I would appreciate it if you could give it your votes: https://ideas.splunk.com/ideas/ESSID-I-256

Reply
Solved! Jump to solution

sidoyle_
Explorer
‎09-26-2022 06:40 AM

I have the exact same issue, something i have brought up with a couple of contacts within Splunk but have never had an answer on this.

Hopefully your post will get more traction and we get answer.

 

Simon

0 Karma
Reply
Solved! Jump to solution

torstein1
Explorer
‎09-26-2022 06:18 AM

The drilldown button is mentioned in step 7 in this article:
Triage notables on Incident Review in Splunk Enterprise Security - Splunk Documentation

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...