https://community.splunk.com/t5/Splunk-Search/Incident-Review-Incidents-Disappear-when-search-completes/m-p/257374#M189512 <P>I had possibly a related issue when stumbling upon your post. In the error console this was logged-</P> <PRE><CODE>incident_review.js:6 Uncaught TypeError: s.replace is not a function at Object.getFieldValue (https://prdbsx0005:8443/en-US/static/@e82289930bdd:302/app/SA-ThreatIntelligence/js/pages/incident_review.js:6:2278026) at eval (eval at x.template (... </CODE></PRE> <P>In my case it turned out to be someone had put a variable substitution in the correlation search name (e.g. $username$) instead of the notable event title. This was causing the error.</P> Sat, 02 Sep 2017 15:50:47 GMT smeier 2017-09-02T15:50:47Z https://community.splunk.com/t5/Splunk-Search/Incident-Review-Incidents-Disappear-when-search-completes/m-p/257373#M189511 <P>This is an odd issue. After a restart of Splunk my incident review dashboard will show all of my incidents as long as I filter out high. </P> <P>When I initially land on incident review and it does its autorun 24h search I briefly see all of my incidents before they all disappear. It still gives me the option to select all xx incidents so they are there, just not displaying. </P> <P>If I filter out the one high event (by greying out the 'high' box) everything displays fine. </P> <P>I changed the urgency on the one high to critical and re-ran the search to include the high results as well. Still, everything disappears. </P> <P>High seems to be the only thing causing this issue. All other combinations of searches I have tried work fine. Anything that is paired with high aside from high by itself will not display the incidents. </P> <P><STRONG>UPDATE</STRONG><BR /> 2016-03-22 19:22:24,045 ERROR [56f1fde0097f0d841f4290] utility:49 - name=javascript, class=Splunk.Error, lineNumber=9, message=Uncaught TypeError: Cannot read property 'toString' of undefined, fileName=<A href="https://10.10.10.10:9000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=*&amp;form.owner_form=*&amp;form.security_domain_form=*&amp;form.rule_name=&amp;form.srch=&amp;earliest=-24h%40h&amp;latest=now&amp;form.new_urgency_count_form=">https://10.10.10.10:9000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=*&amp;form.owner_form=*&amp;form.security_domain_form=*&amp;form.rule_name=&amp;form.srch=&amp;earliest=-24h%40h&amp;latest=now&amp;form.new_urgency_count_form=</A></P> Wed, 23 Mar 2016 02:10:05 GMT https://community.splunk.com/t5/Splunk-Search/Incident-Review-Incidents-Disappear-when-search-completes/m-p/257373#M189511 miront 2016-03-23T02:10:05Z https://community.splunk.com/t5/Splunk-Search/Incident-Review-Incidents-Disappear-when-search-completes/m-p/257374#M189512 <P>I had possibly a related issue when stumbling upon your post. In the error console this was logged-</P> <PRE><CODE>incident_review.js:6 Uncaught TypeError: s.replace is not a function at Object.getFieldValue (https://prdbsx0005:8443/en-US/static/@e82289930bdd:302/app/SA-ThreatIntelligence/js/pages/incident_review.js:6:2278026) at eval (eval at x.template (... </CODE></PRE> <P>In my case it turned out to be someone had put a variable substitution in the correlation search name (e.g. $username$) instead of the notable event title. This was causing the error.</P> Sat, 02 Sep 2017 15:50:47 GMT https://community.splunk.com/t5/Splunk-Search/Incident-Review-Incidents-Disappear-when-search-completes/m-p/257374#M189512 smeier 2017-09-02T15:50:47Z