Splunk Enterprise Security

Search Notables by Time of Comments

JeffBothel
Explorer

In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that a comment is added to a notable that is generated. For example; I want to find all the notable events that I closed in an evening based on me making a comment on that notable during that timeframe instead of when the notable was generated.

smoir_splunk
Splunk Employee
Splunk Employee

You can use the incident_review macro to do this. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

I'm struggling to get answers to accept my super basic example search, so I hope that page is helpful enough for what you need!

Example search:

|`incident_review` |fields comment,reviewer

JeffBothel
Explorer

Also it would be nice if I could separate it by the comment creator or other fields that might be attributed as well. For example; find all the notables that I specifically worked on in a given timeframe based on a search that finds all comments I made to notables between a certain amount of time.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @JeffBothel, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a working solution. We’re hosting a karma point contest, so it’s particularly awesome to up vote on Answers these days. 😄

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...