Thanks so much for the info! The app I was working in was Mission Control, going along with the Video, but your suspicion of ES version is probably spot on. This video is two years old, and I just ...
See more...
Thanks so much for the info! The app I was working in was Mission Control, going along with the Video, but your suspicion of ES version is probably spot on. This video is two years old, and I just upgraded to the latest version recently. This was the video: https://youtu.be/xhfb5Cc11Tg?t=177 I understand what you mean about creating the event from the analyst queue. I'm just confused about how to add more searched events when performing manual searches. There is an events tab within the investigation. What I'm seeing you would go to the Search tab and if you find anything else of interest you should be able to add it along to your investigation created. Right now the only way I can populate additional searches into this tab, is by using the add events macro, which works fine, but this can cause accidental additions if my SPL catches other entries in my search which I don't want added to the investigation. Seems like a better way would be to allow me to manually add the event by finding the search myself and telling splunk to add it. Hope that makes sense? I did training on the previous version of Splunk for investigations, this newer Mission Control is totally different and appears to lack some of the functionality in the older version? Or perhaps I'm just missing something in terms of workflow for investigations in this version of Splunk ES - I see Response is probably the primary tab to work in, but it feels lacking at the moment. Probably because everything is defaulted at the moment.