Getting Data In
Highlighted

Why can't the Enterprise Security searches with 'incident_review' macro cannot filter for time?

New Member

I have been trying to build a report for a client tracking the ticket statuses in the incident review dashboard over time. The dashboard contains 8 panels and the base of the searches for all of those panels is as follows:

|incident_review | rename status_label as status  |  timechart span=7d count by status | sort - _time

the search does what it is meant to do, it separates the statuses into weekly buckets, counts them up, and spits them out in a table or graph (whatever I choose).

The problem comes when I need to assign a time filter for the panels. The client only wants the previous 16 weeks worth of this data but, when I attempt to assign this time filter nothing happens. When I attempt to assign ANY time filter, nothing happens.

Has anyone else had this issue when trying to build reports using the incident review macro? If so, how did you solve this?

Thank You,
Tyler Dygert

0 Karma
Highlighted

Re: Why can't the Enterprise Security searches with 'incident_review' macro cannot filter for time?

SplunkTrust
SplunkTrust

The macro is basically loading a lookup file, it's not searching an index. As a result, the time range picker doesn't do anything.

You can still filter in your search: ... | where _time >= relative_time(now(), "-16w@w1") | ...

View solution in original post

0 Karma
Highlighted

Re: Why can't the Enterprise Security searches with 'incident_review' macro cannot filter for time?

New Member

This worked! Thank you.

0 Karma