Splunk Enterprise Security

Finding based finding / Risk based alerting not working properly

Daavid
Loves-to-Learn Lots

Hi there,

In Mission Control in our properly working Splunk environment, we see the following:

Screen Shot 2025-06-25 at 03.36.23.732 PM.png

This is exactly how we want it: the finding based correlation search "Threat - Findings Risk Threshold Exceeded for Entity Over 24 Hour Period - Rule" fired because of multiple findings that occured for one specific entity. If you expand it, then it shows all the findings. 
(Please ignore the weird names of the findings)

Then in our other environment, it looks differently.
When you click expand, it has to think for a while:

{0FF17B06-B582-407A-B46E-ED3CBCD6EFA6}.png

And then it just shows the number of intermediate findings, but the not the actual findings themselves.
You also can't click on this grey label.

{F84F2A88-FC1F-4BC8-8C12-86A36BEAE58F}.png

I suspect it has something to do with the fact that our working environment is a somewhat fresh install, whereas the environment in which it doesn't work properly is an upgrade from an old ES version to the newest version. There might be some index problems or something, I don't know.

Does anyone know?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...