Solved: Splunk Enterprise Security: Why is the Incident Re...

japala · ‎09-16-2016

Hello All,
I am working with the Splunk Enterprise Security App and in the Incident Review, under Urgency, we have 5 labels:

Critical
High
Low
Medium
Info

The problem is when we click on one of the labels, it doesn't give any results.

How to fix this issue.

jstoner_splunk · ‎09-19-2016

The list of urgencies work a little different than you might expect. By default, when I load the page, it returns values for each urgency level. However, if I click on an urgency, it will turn grey, which is basically unselecting that from the underlying filter condition, but the notables will still show in the tabular view until I click submit to rerun the search.

When I click submit, the urgency I previously clicked (de-selected) will stay grey and the tabular view will only return urgencies that are in their own color (red=critical, orange=high, medium=yellow, green=low, blue=info). If I want to get that urgency level back in my result set, click on the grey urgency. The color will change from grey to the correct urgency color and when you click submit, the tabular area will populate with those notable events.

View solution in original post

jstoner_splunk · ‎09-19-2016

The list of urgencies work a little different than you might expect. By default, when I load the page, it returns values for each urgency level. However, if I click on an urgency, it will turn grey, which is basically unselecting that from the underlying filter condition, but the notables will still show in the tabular view until I click submit to rerun the search.

When I click submit, the urgency I previously clicked (de-selected) will stay grey and the tabular view will only return urgencies that are in their own color (red=critical, orange=high, medium=yellow, green=low, blue=info). If I want to get that urgency level back in my result set, click on the grey urgency. The color will change from grey to the correct urgency color and when you click submit, the tabular area will populate with those notable events.

japala · ‎09-19-2016

Hey thanks jstoner for the answer. I have another question, in the tabular column we have different columns such as the status, owner, actions etc. so these drop down options are not working.. any thoughts???

jstoner_splunk · ‎09-19-2016

I am not sure I am following you. In the default tabular view, the columns by default include things like Time, Security Domain, Title, Urgency, Status, Action, Owner and Actions. Actions looks like a downward facing arrow that when clicked gives you a number of options including suppression, extract fields, etc.

Next to the urgency bar, there are drop down boxes for Status, Owner and Security Domain that have multiselect options, as well as text space for Tag, Name and Search.

What I am not sure I understand is when you say drop downs, the things I would consider to be drop downs would either be the Actions arrow in the tabular view OR the status, owner and security domain text boxes at the top of the screen so I am not sure which ones are having issues.

Did it previously work and then stop working? Is the browser a supported browser from Splunk's perspective?

japala · ‎09-19-2016

Actually all these Actions, Status, Owner and Security Domain none of them are showing drop down options when i click on them. And ya browser is supported and am using updated version of Google Chrome. i think this is the clustered env, because we have two search heads for the ES one is the old search head everything is looking fine.. but in the new one this dropdowns are a problem. i hope i am making sense.

Splunk Enterprise Security: Why is the Incident Review dashboard not generating results when I click on a label in the Urgency field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life