Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Make changes to an investigation in Splunk Enterprise Security

Make changes to the entries on an investigation from the list view or the timeline view.

Change the title and description of an investigation

Change the title and description of an investigation from the investigation bar. For example, change the name of the investigation as your investigation progresses to more accurately describe the security incident you are investigating.

  1. From the investigation bar, click the edit investigation icon. From the investigation view, click Edit.
  2. Change the title or description.
  3. Click Save.

Delete a single investigation entry from the timeline view

  1. Find the entry on the timeline view.
  2. Click Action > Delete Entry.
  3. Click Delete to confirm deleting the entry.

Delete investigation entries from the list view

  1. Click List to view the investigation as a list of entries.
  2. Select the check box next to the investigation entries that you want to delete.
  3. Click Action and select Delete.
  4. Click Delete to confirm deleting the entry.

Change a note

  1. Find the note in the investigation and open the note for editing.
    1. From the timeline view of the investigation click Action > Edit Note
    2. From the list view of the investigation click Edit in the Actions column.
  2. Make changes. For example, add a new attachment and add a sentence to the description describing the new attachment.
  3. Remove a file attachment by clicking the X next to the file name.
  4. Click Save.

Change the title of an entry

You can change the title of an entry to make it more clear.

  1. Locate the notable event, Splunk event, action history item, or other entry on the investigation.
  2. From the Actions menu, click Edit.
  3. Change the title.

Close an investigation

You can indicate that an investigation is closed in several ways.

  • Change the title to include the word "Closed" so that you can filter on closed investigations on My Investigations.
  • Add a note at the end of the investigation to identify the investigation as closed.
PREVIOUS
Add details to an investigation in Splunk Enterprise Security
  NEXT
Collaborate on an investigation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters