Start an investigation in Splunk Enterprise Security
You can start an investigation in several ways in .
- Start an investigation from Incident Review while triaging notable events. See Add a notable event to an investigation.
- Start an investigation with an event workflow action. See Add a Splunk event to an investigation.
- Start an investigation from the Investigations dashboard.
- Start an investigation when viewing a dashboard using the investigation bar.
By default, users with the ess_admin and ess_analyst roles can start an investigation.
Start an investigation from the Investigations dashboard
Start an investigation from the Investigations dashboard.
- Click Create New Investigation.
- Type a title.
- (Optional) Type a description.
- Click Save.
Start an investigation from the investigation bar
When viewing dashboards in , you can see an investigation bar at the bottom of the page. You can use the investigation bar to track your investigation progress from any page in .
The investigation is loaded in the investigation bar.
Add details to an investigation in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6