Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do results differ between ESS Security Posture and Incident Review dashboards?

hazekamp
Builder
‎02-14-2011 09:15 PM

Sometimes when I drill down on information displayed in the Security Posture dashboard there is a different number of raw events displayed in Incident Review. Shouldn't these numbers be equivelant? (SOLN-164)

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎02-14-2011 09:22 PM

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎02-14-2011 09:22 PM

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...