Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Incident Review | Search is waiting for input...

virchenko
Explorer
‎08-28-2018 03:41 AM

Hello all!
I'm having trouble with Enterprise Security => Incident Review page.
all time "Search is waiting for input..."
Urgency is empty, grafic is empty.
but at Security Posture page i have events.
Has anyone had this problem in past?
how can i troubleshoot it?alt text

Preview file
1 KB
0 Karma
Reply

ibmresilient
Path Finder
‎04-29-2019 11:29 AM

Ok, figure out the "problem" for us at least. Splunk ES 4.7.2 is not compatible with Splunk 7.2.1. We roll back to Splunk 6.6, and this error message disappeared.

0 Karma
Reply

sharkie
Engager
‎04-02-2020 03:13 PM

Why not upgrade Splunk ES instead? There are new features which makes it worthwhile.

0 Karma
Reply

ibmresilient
Path Finder
‎04-29-2019 10:05 AM

I have the same problem, running Splunk 7.2.1 and Splunk ES 4.7.2. Anyone knows how to fix it please?

0 Karma
Reply

patriciachavez
New Member
‎09-19-2018 05:09 PM

Have you managed to solve it? The same thing happens to me with the PCI app, I have identified errors within the _internal logs with the search "index = _internal sourcetype = splunk_web_service component = error" apparently it is a js theme

In my case it looks for a js that does not find InvestigationBarViewWrapper.js in / etc / apps / SplunkEnterpriseSecuritySuite / appserver / static / but I can not find it if it is generated dynamically.

509 INFO [5ba2e020817f21c03fa2d0] error:311 - Masking the original 404 message: 'The path '/en-US/static/@a0c72a66db66/app/SplunkEnterpriseSecuritySuite/InvestigationBarViewWrapper.js' was not found.' with 'Page not found!' for security reasons

But I can not solve it 😞 Do you have any new status?

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎08-28-2018 12:39 PM

Hi @virchenko. Thanks for your question! Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-28-2018 06:19 AM

Hi @virchenko,

You need to provide Correlation Search Name and you need to provide timeframe as well instead of "All Time".

If you want to check Notable Events from Security Posture page in Incident Review then just click on Correlation Search Name under "Top Notable Events" which will drilldown (redirect) you to Incident Review page.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-28-2018 06:19 AM

Hi @virchenko,

You need to provide Correlation Search Name and you need to provide timeframe as well instead of "All Time".

If you want to check Notable Events from Security Posture page in Incident Review then just click on Correlation Search Name under "Top Notable Events" which will drilldown (redirect) you to Incident Review page.

0 Karma
Reply

virchenko
Explorer
‎08-30-2018 12:04 AM

thanks for answer
it'll work, when it page is work correct.
i haven't ane reaction of changing Correlation Search Name or other filters.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...