Splunk® Enterprise Security

Use Splunk Enterprise Security

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigation Bar

When viewing dashboards within , an Investigation Bar is visible at the bottom. ES41InvestigationBar.png

Begin an investigation

You can create a new investigation timeline by clicking Create a New Investigation

  • Load an existing investigation timeline by clicking All Investigations and selecting a timeline.

Work an existing investigation

Load an existing investigation timeline into the bar by clicking All Investigations and selecting an investigation.

  • Change the investigation name by clicking Edit Investigation Name.
  • View the timeline of the investigation, or close it after you open it, by clicking Toggle Timeline.
  • Add a note by clicking Notes.
  • Add an item from your action history by clicking Action History.

Run a quick search

Run a search without needing to open the search dashboard by clicking Quick Search.

  • Enlarge or shrink your view of the search results by clicking and dragging the corner of the window. Double click to expand the search view to cover most of your screen, or double click again to shrink it.
  • Click Open in Search to view the search results on the Search dashboard.
  • Click Export to export the search results as a CSV file. You can then add those search results as an attachment to the timeline. See Investigation Timelines.
  • Quickly add the search to the investigation in the investigation bar by clicking Add to Investigation.
Last modified on 12 April, 2017
My Investigations   Asset and Identity dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only, 4.5.0, 4.5.1, 4.5.2, 4.5.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters