Splunk Enterprise Security

Finding based finding / Risk based alerting not working properly

Daavid
Loves-to-Learn Lots

Hi there,

In Mission Control in our properly working Splunk environment, we see the following:

Screen Shot 2025-06-25 at 03.36.23.732 PM.png

This is exactly how we want it: the finding based correlation search "Threat - Findings Risk Threshold Exceeded for Entity Over 24 Hour Period - Rule" fired because of multiple findings that occured for one specific entity. If you expand it, then it shows all the findings. 
(Please ignore the weird names of the findings)

Then in our other environment, it looks differently.
When you click expand, it has to think for a while:

{0FF17B06-B582-407A-B46E-ED3CBCD6EFA6}.png

And then it just shows the number of intermediate findings, but the not the actual findings themselves.
You also can't click on this grey label.

{F84F2A88-FC1F-4BC8-8C12-86A36BEAE58F}.png

I suspect it has something to do with the fact that our working environment is a somewhat fresh install, whereas the environment in which it doesn't work properly is an upgrade from an old ES version to the newest version. There might be some index problems or something, I don't know.

Does anyone know?

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...