Splunk Enterprise Security

Incident review default settings

kiran331
Builder

Hi

Is there a way to show only critical, high, medium in incident review by default?

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

Not by default, but you could change the link to Incident Review to a filtered version of it by using these steps:
http://docs.splunk.com/Documentation/ES/4.2.0/User/ManageSearches#Add_a_link_to_the_ES_menu
(the steps apply for any ES installation though these docs are for a cloud-only version).

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

Not by default, but you could change the link to Incident Review to a filtered version of it by using these steps:
http://docs.splunk.com/Documentation/ES/4.2.0/User/ManageSearches#Add_a_link_to_the_ES_menu
(the steps apply for any ES installation though these docs are for a cloud-only version).

kiran331
Builder

Thanks!how to add default=true to this one to make this as default page for ES

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

@kiran331 I just tested moving "default=true" from ess_home to the incident_review view, and that worked for me. Does that work for you?

0 Karma

kiran331
Builder

Can i use default = true with in the href tag

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Sadly I couldn't get that to work, even when it referenced an app context.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...