Pin fields for findings and investigations in Splunk Enterprise Security

Pin specific fields in the side panel of a finding or investigation or on the investigation overview page to keep the information you care about most easily accessible. Pinned fields act as favorites. They appear together in a dedicated Pinned section at the top of the fields section, so you don't need to scroll through all of the information each time.

Pinned fields are duplicates of their original entries. The field still appears in its original section, even after pinning. Pinned fields are also user-specific, so your pinned view doesn't affect other users.

Additionally, you can also reorder your pinned fields to change the display order.

  1. In Splunk Enterprise Security, select Mission Control to open the analyst queue.
  2. Select a finding or investigation from the analyst queue to open the side panel.
    Optionally, for investigations, you can select View investigation and complete the rest of these steps to pin fields on the investigation overview page.
  3. Hover over any of the existing fields to see the pin icon ().
    Note: Custom fields are also available to pin in the side panel. These fields are accessible for read-only.
  4. Select the pin icon () to copy the field to the Pinned section. Adding a pinned field adds it to the end of the pinned list by default.
  5. (Optional) Reorder fields in the Pinned section by hovering over a field and selecting the reorder icon ().
  6. (Optional) Remove a field from the Pinned section by hovering over the field and selecting the pin icon () again.
    Removing the pinned field removes only the pinned copy of the field. It doesn't delete the field.