Splunk® Enterprise Security

Troubleshoot Splunk Enterprise Security

Troubleshoot search results in Splunk Enterprise Security

Issue

Unexpected search results generated by detections.

Cause

Using index time as the Time Range in your detection can generate unexpected search results.

Solution

Follow these steps to check whether the detection SPL search is using index time:

  1. Check the savedsearches.conf configuration file to see if the search is using index time since the configuration file settings often change.
  2. Check the fields in the findings and events. If any of the following three fields exist, it indicates that the time range setting was index time when the detection was run.
    • use_indextime;
    • info_min_indextime;
    • info_max_indextime
  3. Check the SPL of the custom search to verify the time range used. Custom searches might also inadvertently use index time.
  4. Check the scheduler log and the search execution audit logs to see if index time is used in the saved search or drill-down search. Sometimes, if the parent detection is using Index time, the underlying drill-down search might also use index time.
Last modified on 02 July, 2024
Troubleshoot missing findings in Splunk Enterprise Security   Troubleshoot missing contributing events for findings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters