Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Investigation Bar

When viewing dashboards within Splunk Enterprise Security, an Investigation Bar is visible at the bottom. ES41InvestigationBar.png

Begin an investigation

You can create a new investigation timeline by clicking Create a New Investigation

  • Load an existing investigation timeline by clicking All Investigations and selecting a timeline.

Work an existing investigation

Load an existing investigation timeline into the bar by clicking All Investigations and selecting an investigation.

  • Change the investigation name by clicking Edit Investigation Name.
  • View the timeline of the investigation, or close it after you open it, by clicking Toggle Timeline.
  • Add a note by clicking Notes.
  • Add an item from your action history by clicking Action History.

Run a quick search

Run a search without needing to open the search dashboard by clicking Quick Search.

  • Enlarge or shrink your view of the search results by clicking and dragging the corner of the window. Double click to expand the search view to cover most of your screen, or double click again to shrink it.
  • Click Open in Search to view the search results on the Search dashboard.
  • Click Export to export the search results as a CSV file. You can then add those search results as an attachment to the timeline. See Investigation Timelines.
  • Quickly add the search to the investigation in the investigation bar by clicking Add to Investigation.
PREVIOUS
My Investigations
  NEXT
Asset and Identity dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only, 4.5.0, 4.5.1, 4.5.2, 4.5.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters