Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

AndySplunks
Communicator
‎07-16-2018 11:02 AM

Is there a way to update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk for Enterprise Security?

For example, Asset Investigator has the Default collection, the Protocol Intelligence, and then Custom for the user to pick. I'd like to either add a third collection or update the default to include an additional swimlane.

Reply
1 Solution
Solved! Jump to solution
Solution

pdaigle_splunk
Splunk Employee
Splunk Employee
‎07-16-2018 11:21 AM

You can create new swim lanes just like most anything else...by creating a search. Except, in the context of Enterprise Security, you have to use the Content Management framework in order to create a new Swim Lane Search. Once you create that you will have a new swim lane that you can add to your custom grouping. You can find more information here:

http://docs.splunk.com/Documentation/ES/5.1.0/User/Eventinvestigator#Edit_the_swim_lanes

And here:

http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Createswimlanesearches

Hope that helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pdaigle_splunk
Splunk Employee
Splunk Employee
‎07-16-2018 11:21 AM

You can create new swim lanes just like most anything else...by creating a search. Except, in the context of Enterprise Security, you have to use the Content Management framework in order to create a new Swim Lane Search. Once you create that you will have a new swim lane that you can add to your custom grouping. You can find more information here:

http://docs.splunk.com/Documentation/ES/5.1.0/User/Eventinvestigator#Edit_the_swim_lanes

And here:

http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Createswimlanesearches

Hope that helps!

0 Karma
Reply
Solved! Jump to solution

AndySplunks
Communicator
‎07-16-2018 11:24 AM

I've created a custom swimlane for my Enterprise Security users. I was hoping to add it to the Default collection so they see it by default when they access the dashboard.

I'm trying to avoid having users have to configure the dashboard.

0 Karma
Reply
Solved! Jump to solution

pdaigle_splunk
Splunk Employee
Splunk Employee
‎07-16-2018 01:32 PM

There is a way. You'll need to edit the "correlationsearches.conf" file, find the stanza in the file that is associated with the Swim Lane Search you created and then under that Swim Lane Search's stanza add the line display.page.asset_investigator.0.collection_name = Default line. Just make sure you choose the proper investigator for the search - either asset or identity - in the line you add to the stanza. You'll also need display.page.asset_investigator.0.order = 1 if its not already there. That ought to get the newly created swim lane search added to the default collection.

Reply
Solved! Jump to solution

pdaigle_splunk
Splunk Employee
Splunk Employee
‎07-16-2018 01:46 PM

Slight correction....this should be in savedsearches.conf now....not correlationsearches.conf. correlationsearches.conf got deprecated in ES 4.6. So, if you are working in something older than 4.6, use correlationsearches.conf....4.6 and newer, use savedsearches.conf.

0 Karma
Reply
Solved! Jump to solution

AndySplunks
Communicator
‎07-17-2018 11:35 AM

That did it. As a note, I had to copy 4 lines total to my swimlane from an existing swimlane:

display.page.asset_investigator.0.collection_name = Default
display.page.asset_investigator.0.order = 7
is_visible = false
request.ui_dispatch_app = SplunkEnterpriseSecuritySuite
alert.track = 0

0 Karma
Reply
Solved! Jump to solution

pdaigle_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 11:39 AM

Fantastic! Glad that did it for you! And thanks for sharing the final results that worked best for you!

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...