Hello all,
I have implemented the Splunk ES integration with SecOps to automate notable ingestion. We are polling Splunk to fetch notables every 4 minutes. I want to know when we send a poll to Splunk, how far in the past is ServiceNow trying to request the notables for?
For example, if a request is sent at 12:00, the search query in the request be sometime in the past say any notables created or updated by A,B,C, correlation rules from time 11:00 to 12:00.
The reason I ask this is because I want to understand if updating a notable on Splunk 2 hours after its creation will also be picked up by ServiceNow or not and whether I would get the updated Raw data in Splunk ES imports table or not.
Thanks!
