Re: Incident Review Auto-Refresh

mr_t2083 · ‎04-17-2018

How do I get my Incident Review in ES to auto refresh, without having to manually auto refresh it from the browser.

nsanzar_splunk · ‎02-15-2024

As of ES 7.2, auto-refresh feature is available on Incident Review Page. Auto-refresh is paused when selecting or editing a Notable. This will allow you to work the notable without refreshing the list. You can manually re-load the IR Page and Auto-refresh is turned back on.

See below KB for more details on how to enable it:

https://docs.splunk.com/Documentation/ES/7.3.0/Admin/CustomizeIR#Configure_auto-refresh_to_update_no...

aakwah · ‎09-30-2022

Hi Everyone,

I found a workaround to auto-refresh Incident Review dashboard by adding these 3 lines below to this html file as it is already included in Incident Review dashboard xml file.

/opt/splunk/etc/apps/SA-ThreatIntelligence/appserver/templates/generic.html

<head>
<meta http-equiv="refresh" content="300">
</head>

This will refresh the page after 300 seconds (5 mins).

<%inherit file="base.html"/>
<head>
<meta http-equiv="refresh" content="300">
</head>
<div class="preload">
    <div id="placeholder-splunk-bar">
        <a href="${make_url([])}" class="brand" title="splunk &gt; listen to your data">splunk<strong>&gt;</strong></a>
    </div>
    <div id="placeholder-app-bar"></div>
    <div id="placeholder-main-section-body">
    ${_('Loading...')}
    </div>
</div>

Please let me know for any further details, and accept the answer if it solved the problem.

Ahmed

LukeMurphey · ‎04-17-2018

You can have Incident Review automatically update by running a real-time search. This will show updates automatically in real-time.

But I only want Incident Review to show notable events created from now on
Run an all-time real-time search if you want Incident Review to show all notable events that are created after the start the search. This works because an all-time real-time search doesn't back-fill; it will only show things coming in from now on.

But I want to show this on a big screen along with other dashboards
In this case, you may to consider using the Slideshow app. That app allows you to create shows consisting of a series of dashboards. It also supports a "dark-mode" that loos nice on a big-screen. Another option is using a browser plugin to cycle through dashboards.

mr_t2083 · ‎04-18-2018

Is there a way to set up auto refresh (like a dashboard) without using real-time search.

LukeMurphey · ‎04-18-2018

Not at the current time. Could you let me know why you would prefer that over a real-time search? I'm just wondering because this may be something we should implement in the future and I wanted to know your use-case.

shiv1593 · ‎11-20-2018

Hi Luke,

By making a real time search, do you mean turning all my correlation searches and alerts, which are triggering a notable event, into Real time searches?

Also, my case is quite similar to mr_t2083, I want to refresh my Incident Review Dashboard without turning my searches into real time searches. I prefer that because we have a huge number of CRs and alerts firing notables in our environment, along with reports/dashboards running in the background, and we cannot afford to run them all at the same time, as real time searches can't be cron scheduled. Running them all at the same time will hog our Server's memory and will create a huge memory utilization problems, leading to server going down (has happened with us). Even if we figure out a way to run them, real time searches aren't preferred. Can we liase and work out the Incident review auto updation feature?

JonD · ‎04-06-2021

I'm a new Splunk customer and I'm wondering the same thing. How can I auto refresh the notables in Incident Review?? Think of an analyst monitoring for notables while also doing another task. Click...wait...click...wait...click....wait.....hopefully you get the point. Clicking refresh every minute and\or monitoring a dashboard that you can't interact with to directly assign ownership or change status of a notable are both inefficient and prone for missed SLAs. This seems like it would be a simple use case to solve. Seeing as though I'm bumping into the same "issue" as other customers years later is concerning. I'd be happy to share my thoughts with a Splunk UX decision maker to provide more information as to why this would be a useful feature for Splunk users.

sajohnson6 · ‎01-19-2022

We were using the real-time feature until we upgrade to 6.6.2. Apparently after version 6.6.0, real-time searches are no longer supported. I've asked the question again and had a co-worker reach out to our contact @ Splunk to see if we are missing something. In the mean time, I've created a dashboard using the `notable` macro and tailoring it to our needs. The panel that is looking for new events updates every 2 minutes, and has a drill down built in that allows the analyst to click the event which re-directs them to a preconfigured incident review page. From there they can work the events. I hope there is another solution, but this way works for now.

How do I get my Incident Review in ES to auto refresh?

incident review

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM