Splunk Enterprise Security

Splunk ES on version 7.3.3: How to get consistent user lookups on both incident reviews and investigations?


The Owner selection in Incident Review filters by the account "Full name", but the Investigations filter to add users to the investigation only displays and filters on the account name.

I expect that all user lookups in Splunk ES should behave similarly, if not identically.  If only one field is available, I'd prefer the "Full name".  But filtering on both might be nice, if it isn't noisy and doesn't add too much to the backend.

Version: Splunk ES on 7.3.3

Labels (2)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...