https://community.splunk.com/t5/Splunk-Enterprise-Security/Null-value-for-urgency-in-incident-review-lookup/m-p/454262#M6383 <P>Hi Splunkers,</P> <P>when we save\close notable events without changing the Urgency we get no any value (null) for <CODE>urgency</CODE> in <CODE>incident_review_lookup</CODE>. <BR /> In ES <CODE>Incident Review</CODE> view the Urgency is shown and just has initial value (as expected). <BR /> Is it possible to get the default value for urgency in lookup in case we want to leave urgency as is?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7277i43BD67732ADDFD9D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7278i8C92BDCF866F4A16/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 02 Jul 2019 16:36:43 GMT evelenke 2019-07-02T16:36:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Null-value-for-urgency-in-incident-review-lookup/m-p/454262#M6383 <P>Hi Splunkers,</P> <P>when we save\close notable events without changing the Urgency we get no any value (null) for <CODE>urgency</CODE> in <CODE>incident_review_lookup</CODE>. <BR /> In ES <CODE>Incident Review</CODE> view the Urgency is shown and just has initial value (as expected). <BR /> Is it possible to get the default value for urgency in lookup in case we want to leave urgency as is?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7277i43BD67732ADDFD9D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7278i8C92BDCF866F4A16/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 02 Jul 2019 16:36:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Null-value-for-urgency-in-incident-review-lookup/m-p/454262#M6383 evelenke 2019-07-02T16:36:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Null-value-for-urgency-in-incident-review-lookup/m-p/454263#M6384 <P>One of my customers had this situation before and it turned out that the severity was being assigned an unknown value in the correlation search. Take a look at the ES documentation for determining urgency. </P> <P><A href="https://docs.splunk.com/Documentation/ES/5.3.1/User/Howurgencyisassigned">https://docs.splunk.com/Documentation/ES/5.3.1/User/Howurgencyisassigned</A></P> <P>In the customer's case, the assigned priority was being overwritten in the correlation search. It was being set to a value that was not in the blue or gold sections of the urgency table (see link). </P> <P>So for example ES expects the Assigned Priority to be <EM>Unknown, Low, Medium, High, or Critical</EM>. If your correlation search mistakenly sets a field called priority to <STRONG>Informational</STRONG> then ES cannot correctly calculate the urgency. You will get a NULL value.</P> Tue, 24 Sep 2019 15:43:21 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Null-value-for-urgency-in-incident-review-lookup/m-p/454263#M6384 nswondem 2019-09-24T15:43:21Z