Solved: Splunk Enterprise Security: If an analyst added a ...

panovattack · ‎01-26-2016

If an analyst has added a notable event to an investigation, how does another analyst open that notable event to review it? There does not seem to be an option to view the raw event referenced in the timeline or jump to the all the notable events for an investigation. The same goes for Splunk Events.

panovattack · ‎02-26-2017

I believe this was fixed in updates to ES.

View solution in original post

panovattack · ‎02-26-2017

I believe this was fixed in updates to ES.

smoir_splunk · ‎04-06-2016

@panovattack I wanted to follow up on my answer and let you know that in ES 4.1 you can do this! When you add a notable event there is also a link to view the notable event on incident review.

smoir_splunk · ‎02-03-2016

There is no way to do that in the latest version, unfortunately. You can view only notable events or splunk events on an investigation by filtering on a type: of notable event or splunk event.

In the latest release, however, there is no way to click through to the raw events from the investigation timeline.

AndySplunks · ‎01-27-2016

Have you tried going to Actions, Show Source for the Notable Event? Below is a screenshot from my system:

Splunk Enterprise Security: If an analyst added a notable event to an investigation, how does another analyst open that notable event to review it?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases