In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that a comment is added to a notable that is generated. For example; I want to find all the notable events that I closed in an evening based on me making a comment on that notable during that timeframe instead of when the notable was generated.
You can use the incident_review macro to do this. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA
I'm struggling to get answers to accept my super basic example search, so I hope that page is helpful enough for what you need!
|`incident_review` |fields comment,reviewer
Also it would be nice if I could separate it by the comment creator or other fields that might be attributed as well. For example; find all the notables that I specifically worked on in a given timeframe based on a search that finds all comments I made to notables between a certain amount of time.
Hey @JeffBothel, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a working solution. We’re hosting a karma point contest, so it’s particularly awesome to up vote on Answers these days. 😄