Splunk Enterprise Security

Splunk ES on version 7.3.3: How to get consistent user lookups on both incident reviews and investigations?


The Owner selection in Incident Review filters by the account "Full name", but the Investigations filter to add users to the investigation only displays and filters on the account name.

I expect that all user lookups in Splunk ES should behave similarly, if not identically.  If only one field is available, I'd prefer the "Full name".  But filtering on both might be nice, if it isn't noisy and doesn't add too much to the backend.

Version: Splunk ES on 7.3.3

Labels (2)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...