Getting Data In

Why can't the Enterprise Security searches with 'incident_review' macro cannot filter for time?

Dijert
New Member

I have been trying to build a report for a client tracking the ticket statuses in the incident review dashboard over time. The dashboard contains 8 panels and the base of the searches for all of those panels is as follows:

|incident_review | rename status_label as status  |  timechart span=7d count by status | sort - _time

the search does what it is meant to do, it separates the statuses into weekly buckets, counts them up, and spits them out in a table or graph (whatever I choose).

The problem comes when I need to assign a time filter for the panels. The client only wants the previous 16 weeks worth of this data but, when I attempt to assign this time filter nothing happens. When I attempt to assign ANY time filter, nothing happens.

Has anyone else had this issue when trying to build reports using the incident review macro? If so, how did you solve this?

Thank You,
Tyler Dygert

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The macro is basically loading a lookup file, it's not searching an index. As a result, the time range picker doesn't do anything.

You can still filter in your search: ... | where _time >= relative_time(now(), "-16w@w1") | ...

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The macro is basically loading a lookup file, it's not searching an index. As a result, the time range picker doesn't do anything.

You can still filter in your search: ... | where _time >= relative_time(now(), "-16w@w1") | ...

0 Karma

Dijert
New Member

This worked! Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...