https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/751289#M12617 <P>I needed to preface the view name with&nbsp;/app/SplunkEnterpriseSecuritySuite/<BR /><BR />Sample:<BR /><SPAN>Investigate Identity Artifacts - "/app/SplunkEnterpriseSecuritySuite/ident_by_name"</SPAN><BR /><SPAN>Investigate Asset Artifacts - "/app/SplunkEnterpriseSecuritySuite/asset_artifacts"</SPAN><BR /><SPAN>Investigate File/Process Artifacts - "/app/SplunkEnterpriseSecuritySuite/file_artifacts"</SPAN></P> Fri, 08 Aug 2025 16:47:17 GMT computermathguy 2025-08-08T16:47:17Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/391917#M4243 <P>Greetings--</P> <P>I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.<BR /> It appears on the App Menu, but when I select it, I get the pony error page.</P> <P>I am able to investigate artifacts from ES &gt; Incident Review &gt; Selecting the Incident &gt; Action Menu &gt; Investigate Asset Artifacts</P> <P>but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator</P> <P>Please advise.</P> Fri, 05 Apr 2019 15:11:36 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/391917#M4243 richardphung 2019-04-05T15:11:36Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/391918#M4244 <P>Hi,</P> <P>that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:</P> <P>"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.</P> <P>Skalli</P> Sun, 07 Apr 2019 18:56:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/391918#M4244 skalliger 2019-04-07T18:56:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/391919#M4245 <P>To show the dashboards directly from the UI once you have the app installed.</P> <P>Configure -&gt; General -&gt; Navigation </P> <P>Create a new collection. Maybe call it "Investigators".</P> <P>Add new Views:<BR /> Investigate Identity Artifacts - "ident_by_name"<BR /> Investigate Asset Artifacts - "asset_artifacts"<BR /> Investigate File/Process Artifacts - "file_artifacts"</P> <P>Drag new views to the collection panel.</P> <P>Save and refresh screen. It will be on the toolbar.</P> Wed, 30 Sep 2020 00:55:23 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/391919#M4245 jamesbrock 2020-09-30T00:55:23Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/751289#M12617 <P>I needed to preface the view name with&nbsp;/app/SplunkEnterpriseSecuritySuite/<BR /><BR />Sample:<BR /><SPAN>Investigate Identity Artifacts - "/app/SplunkEnterpriseSecuritySuite/ident_by_name"</SPAN><BR /><SPAN>Investigate Asset Artifacts - "/app/SplunkEnterpriseSecuritySuite/asset_artifacts"</SPAN><BR /><SPAN>Investigate File/Process Artifacts - "/app/SplunkEnterpriseSecuritySuite/file_artifacts"</SPAN></P> Fri, 08 Aug 2025 16:47:17 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-integrate-SA-Investigator-with-ES/m-p/751289#M12617 computermathguy 2025-08-08T16:47:17Z