Review an investigation in Splunk Enterprise Security
Revisit past investigations, or view a current investigation by clicking the title from the investigation bar or from the Investigations dashboard. Users with the capability to manage all investigations can view all investigations. Only collaborators on an investigation with write permissions can edit an investigation. See Manage access to investigations in Administer Splunk Enterprise Security.
Review an investigation for training or research purposes. Click an entry on an investigation to see all details associated with it.
- For notes with file attachments, click the file name to download the file attachment.
- For notable events, click View on Incident Review to open the Incident Review dashboard filtered on that specific notable event.
- For action history entries, you can repeat the previously-performed action. For a search action history entry, click the search string to open it in search. For a dashboard action history entry, click the dashboard name to view the dashboard.
Gain insight into an attack or investigation by viewing the entire investigation timeline or view only part of it by expanding or contracting the timeline.
Click the timeline to move it and scan the entries. View a chronological list of all timeline entries by clicking the list icon, or refine your view of the timeline using filters. You can filter by type or use the Filter box to filter by title.
| Collaborate on an investigation in | Share or print an investigation in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Download manual
Feedback submitted, thanks!