Splunk Enterprise Security

Edit Action Dropdown on a notable event


I am trying to add a dashboard to the action dropdown when you are in incident review under specific notables. How do I do this? I cannot seem to find ANY document on how to do it and would appreciate a link to it or an explanation of how...

0 Karma

Path Finder

BePe is correct. In the main menu bar, click Settings -> Fields -> Workflow actions -> search on keyword "Investigator". You can also search from "All Configurations" if desired.

You will see a number of workflow actions from the DA-ESS-IdentityManagement app, such as identity_investigator_user. Click this link to see the options required to link to the desired dashboard.

Use this as a template to create a New Workflow action in the app of your choosing, ensuring that the workflow action is shared globally to be accessible from within Enterprise Security.

Label: <your choice>
Apply only to the following fields: <your choice>
Apply only to the following event types: <your choice>

Show action in: Fields menus
Action type: link
URI: /app/$@namespace$/dashboard_name?form.target_field=$@field_value$
Open link in: New window
Link method: get

This will create the appropriate stanza entries in the workflow_actions.conf for the container app.

0 Karma


Check the "workflow_actions.conf" files in the different apps and SAs for samples. 


Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!