Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Collaborate on an investigation in

You can collaborate with other analysts on an investigation.

Add a collaborator to an investigation

  1. Open the investigation that you want to add a collaborator to.
  2. Click the add collaborators icon.
  3. Type the name of the person you want to add and select their name from the list to add them to the investigation.
    This screen image shows the list of collaborators that appear when you click the add collaborators plus icon.
  4. Their initials appear in a circle to confirm that they were added.

You can add any Splunk user in your deployment as a collaborator. By default, a collaborator has write permissions on the investigation. The option to add more collaborators to an investigation disappears if all available users have been added to the investigation.

View the collaborators assigned to an investigation

You can view the collaborators assigned to an investigation from an individual investigation or from the Investigations dashboard.

  • Hover over the collaborator icons to see the names of the collaborators on your investigation.
  • If a collaborator does not have write permissions for an investigation, the icon is gray and (read-only) is appended to their name.
  • Click the icon of a collaborator to see information about them. See their name and the permissions that the user has for the investigation.

This screen image shows the name and permissions options that show when you click a collaborator icon.

Make changes to the collaborators on an investigation

If you are a collaborator on an investigation with write permissions, you can change the permissions of other collaborators on the investigation.

  1. Click the icon of a collaborator.
  2. Change the Write permissions. By default, all collaborators have Yes for Write permissions. All investigations must have at least one collaborator with write permissions.

You can remove a collaborator if they are not the only collaborator on the investigation with write permissions.

  1. Click the icon of a collaborator.
  2. Click Remove.
Last modified on 22 November, 2021
Make changes to an investigation in Splunk Enterprise Security   Review an investigation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters