I noticed some weirdness with the Incident Review check-boxes. Sometimes I will have 1 or more check-boxes selected, and then the selections get wiped out or cleared. What gives?
Splunk refreshes the Incident Review dashboard as long as the underlying search is still running. The refresh deselects any check boxes you have selected. To avoid this behavior, wait for the search to complete before attempting to edit the status of the events. You can also click Finalize or Pause from the search controls.
Splunk refreshes the Incident Review dashboard as long as the underlying search is still running. The refresh deselects any check boxes you have selected. To avoid this behavior, wait for the search to complete before attempting to edit the status of the events. You can also click Finalize or Pause from the search controls.