Enterprise Security 3.3.1, Splunk 6.2.4.
I have notable events being generated by correlation searches (for instance, Short-lived account detected, but there are others). For each notable in the Incident Review dashboard, there are links to View original event and View account change events of $user$ (or whatever is set under the correlation search's "drill-down name"), but rather than being bound to the time of the original event, it's reverting to the default (last 15 minutes in our case) and showing no results.
What should the notable event be keying off of for "event time"?
I'm presuming we should be passing a time field or two from the correlation search to key off of? I want to be able to similarly set earliest and latest default times for custom notables I'm working on, but the only way I can seem to get it to work is to hard code earliest and latest in my search string, which makes it more difficult for my analysts to pick different time boundaries (via zoom, dragging around in the timeline, or using the time picker) .
... View more