Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Incident Review Incidents Disappear when search completes

miront
Explorer
‎03-22-2016 07:10 PM

This is an odd issue. After a restart of Splunk my incident review dashboard will show all of my incidents as long as I filter out high.

When I initially land on incident review and it does its autorun 24h search I briefly see all of my incidents before they all disappear. It still gives me the option to select all xx incidents so they are there, just not displaying.

If I filter out the one high event (by greying out the 'high' box) everything displays fine.

I changed the urgency on the one high to critical and re-ran the search to include the high results as well. Still, everything disappears.

High seems to be the only thing causing this issue. All other combinations of searches I have tried work fine. Anything that is paired with high aside from high by itself will not display the incidents.

UPDATE
2016-03-22 19:22:24,045 ERROR [56f1fde0097f0d841f4290] utility:49 - name=javascript, class=Splunk.Error, lineNumber=9, message=Uncaught TypeError: Cannot read property 'toString' of undefined, fileName=https://10.10.10.10:9000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=*&...

Tags (2)
0 Karma
Reply

smeier
Path Finder
‎09-02-2017 08:50 AM

I had possibly a related issue when stumbling upon your post. In the error console this was logged-

incident_review.js:6 Uncaught TypeError: s.replace is not a function
    at Object.getFieldValue (https://prdbsx0005:8443/en-US/static/@e82289930bdd:302/app/SA-ThreatIntelligence/js/pages/incident_review.js:6:2278026)
    at eval (eval at x.template (...

In my case it turned out to be someone had put a variable substitution in the correlation search name (e.g. $username$) instead of the notable event title. This was causing the error.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...