Troubleshoot search results in Splunk Enterprise Security
Issue
Unexpected search results generated by detections.
Cause
Using index time as the Time Range in your detection can generate unexpected search results.
Solution
Follow these steps to check whether the detection SPL search is using index time:
- Check the
savedsearches.conf
configuration file to see if the search is using index time since the configuration file settings often change. - Check the fields in the findings and events. If any of the following three fields exist, it indicates that the time range setting was index time when the detection was run.
use_indextime
;info_min_indextime
;info_max_indextime
- Check the SPL of the custom search to verify the time range used. Custom searches might also inadvertently use index time.
- Check the scheduler log and the search execution audit logs to see if index time is used in the saved search or drill-down search. Sometimes, if the parent detection is using Index time, the underlying drill-down search might also use index time.
Troubleshoot missing findings in Splunk Enterprise Security | Troubleshoot missing contributing events for findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!