Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Edit Action Dropdown on a notable event

Denorsmith
Engager
‎08-21-2021 03:27 PM

I am trying to add a dashboard to the action dropdown when you are in incident review under specific notables. How do I do this? I cannot seem to find ANY document on how to do it and would appreciate a link to it or an explanation of how...

0 Karma
Reply

ro_mc
Path Finder
‎09-21-2021 03:00 AM

BePe is correct. In the main menu bar, click Settings -> Fields -> Workflow actions -> search on keyword "Investigator". You can also search from "All Configurations" if desired.

You will see a number of workflow actions from the DA-ESS-IdentityManagement app, such as identity_investigator_user. Click this link to see the options required to link to the desired dashboard.

Use this as a template to create a New Workflow action in the app of your choosing, ensuring that the workflow action is shared globally to be accessible from within Enterprise Security.

Label: <your choice>
Apply only to the following fields: <your choice>
Apply only to the following event types: <your choice>

Show action in: Fields menus
Action type: link
URI: /app/$@namespace$/dashboard_name?form.target_field=$@field_value$
Open link in: New window
Link method: get

This will create the appropriate stanza entries in the workflow_actions.conf for the container app.

0 Karma
Reply

BePe
Engager
‎09-20-2021 11:02 PM

Check the "workflow_actions.conf" files in the different apps and SAs for samples. 

 

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...