Splunk Enterprise Security

In Splunk ES how do I create a search to find all unassigned and assigned owners to a rule/title

New Member

Hi all.

Our Incident review page is getting needlessly large and I want to create a dashboard that will populate with a select few  rules_names or titles that I can see in the incident review tab in Splunk ES.

 

 

 

|`incident_review`
| fields - time

 

 

 

 

for example shows me fields that are useful because I also get the _time, owner/reviewer, rule_name and status. What I am looking for is all that and including the rules that came in and are also unassigned to an owner.

Labels (2)
0 Karma