Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create monthly report about notables from Enterprise Security

KKuser
Path Finder
‎03-16-2025 07:17 PM

I'm trying to create a report that includes the following information and want to schedule it to run monthly. I need to know how can I gather the information from Splunk.

  • How many events are observed by Splunk for a month? Of those, how many are internal Splunk events ? How many events are from log sources?
  • Total number of notables observed by month
  • Classification of notables based on severity
  • What is the notable generation time?
  • what is the time the notable was assigned to analyst?
  • what is the time the analyst responded to the notable and what was the response?
  • what time was the notable closed?

 

As of now I'm going through the `notable`, but need more information as to how this can be navigated. Your comments would be appreciated.

 

Thanks

0 Karma
Reply

livehybrid
Super Champion
‎03-17-2025 06:52 AM

Hi @KKuser 

For the first, are you wanting to know the number of raw events Splunk searched by Enterprise Security in order to produce your notables? If so, something llike this should work but may need modifying to meet your needs:

index=_audit search=* info=completed action=search savedsearch_name=* provenance=scheduler (app=SplunkEnterpriseSecuritySuite OR app=SA-*)
| timechart span=1d sum(event_count) as events_scanned sum(result_count) as results_found

Regarding your other points, I think it would be best to check out Analytics->Executive Summary dashboard from within Enterprise Security as I think this covers what you are looking for, this dashboard can be cloned and tweaked to your needs. 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

KKuser
Path Finder
‎03-17-2025 06:58 AM

I'm able to see the 'Mean time to resolution' field in the dashboard. But apart from that I'm unable to find other data points I'm looking for in the dashboard that you are referring to.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-17-2025 12:01 AM

@KKuser- I don't know if it would be possible to get the first request, rest of the requests mostly available by default on latest Enterprise Securities default dashboards. You can get the queries for the reports from these default Enterprise Security dashboards.

 

I hope this helps!!!

0 Karma
Reply

KKuser
Path Finder
‎03-17-2025 06:46 AM

I'm using an old version of enterprise security. Unfortuntaley there's not a lot of dashboard information that I can see. 

It'd be great if you can share the SPL queries or references to see where I can find the information. 

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
OSZAR »