Splunk Enterprise Security

"All time" time range in notable drilldown search

ejahnke
Explorer

Hello fellow ES 8.X enjoyer.

We have a few Splunk Cloud customer that got upgrade to ES 8.1. We have noticed that all the drill down searches from Mission Control use the time rage "All time", eventhough we configured the earliest and latest offset with $info_min_time$ and $info_max_time$:

ejahnke_0-1751285079011.png

After saving the search again the problem vanished. I also created a new search and worked correct immediately.

It worked before the update for the existing searches and stopped working after the upgrade. 

Anybody else with the same experience? 

Best regards

 

ljvc
Explorer

ES 8.1.1 solved this for us!

0 Karma

ljvc
Explorer

we are experiencing the same issue, subscribing to this thread in  case anyone finds a solution

emzet
Explorer

Try save again exist drill-down search (even without real changes) or create form scratch. After the „changes” tokens $info_min_time$ and $info_max_time$ start working good.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...