Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Make changes to an investigation in Splunk Enterprise Security

Make changes to the entries on an investigation from the timeline list or slide view.

Change the title and description of an investigation

Change the title and description of an investigation from the investigation bar. For example, change the name of the investigation as your investigation progresses to more accurately describe the security incident you are investigating.

  1. From the investigation bar, click the edit investigation icon. From the investigation view, click Edit.
  2. Change the title or description.
  3. Click Save.

Update the status of an investigation

Update the status of an investigation from the workbench, summary, or timeline view.

  1. While viewing the investigation, click Edit > Edit title, description, and status.
  2. Select a new status.
  3. Click Save.

You can also update the status of an investigation from the investigation bar.

  1. Click the all investigations icon and select your investigation.
  2. After loading your investigation into the investigation bar, click the edit investigation icon and select a status.
  3. Click Save.

Similar to notable events, administrators can customize the statuses available to select, and restrict the status workflow. Because of this, you might not be able to transition from some statuses to other statuses. See Manage and customize investigation statuses in Administer Splunk Enterprise Security.

Delete investigation entries

You can delete investigation entries when viewing the investigation timeline list or slide views.

  1. Find the entry on the investigation.
  2. Click Action > Delete Entry.
  3. Click Delete to confirm deleting the entry.

To delete multiple entries:

  1. Click List to view the investigation as a list of entries.
  2. Select the check box next to the investigation entries that you want to delete.
  3. Click Action and select Delete.
  4. Click Delete to confirm deleting the entry.

Edit or delete a note

Edit a note by clicking on it in the investigation notes window.

  1. From the investigation bar, click the notes icon.
  2. Select the note.
  3. Edit the title, date, timeline display, the note itself, and add or delete attachments.

Alternately, go to the timeline list view to edit or delete the note entry.

  1. From the timeline tab, click List View.
  2. From the actions column, you will see both notes and timeline notes.
  3. Select Edit Entry to edit it or Delete Entry to delete it.

Change the title of an entry

You can change the title of an entry to make it more clear.

  1. Locate the notable event, Splunk event, action history item, or other entry on the investigation.
  2. From the Actions menu, click Edit.
  3. Change the title.
Last modified on 19 January, 2022
Add details to an investigation in Splunk Enterprise Security   Collaborate on an investigation in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters