Search in incident review page

matankar · ‎01-15-2019

Hi everyone

I’m trying to make search by comment in the incident review page, but splunk cant find any results.
When I’m look for results with simple search only with status, owner and time splunk can find the results I’m looking for.

Thanks for helping.

matankar · ‎01-17-2019

Thanks again for your help
It’s not working...
Do you have another suggestion?

dkeck · ‎01-15-2019

Hi,

if I remeber correctly you can search with

comment="*part_of_your_comment*"

You can also search for rule_tile="CS_search_title".

dkeck · ‎01-16-2019

Any luck with that? If it was helpfull please accept the answer, thank you 🙂

matankar · ‎01-17-2019

|incident_review | search comment=“part_of_your_comment”

Thanks for your help

dkeck · ‎01-17-2019

Did it work to enter comment="*text*" or not?

If yes please accept the answer, just click the accept button above, thank you.

lakshman239 · ‎01-15-2019

Not sure if you can search for comments directly in the incident page, but you could search against the macro:

incident_review | search comment="your comment"

http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

Search in incident review page

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases