Splunk Enterprise Security

Incident Review Auto-Refresh

New Member

How do I get my Incident Review in ES to auto refresh, without having to manually auto refresh it from the browser.

0 Karma

Champion

You can have Incident Review automatically update by running a real-time search. This will show updates automatically in real-time.

But I only want Incident Review to show notable events created from now on
Run an all-time real-time search if you want Incident Review to show all notable events that are created after the start the search. This works because an all-time real-time search doesn't back-fill; it will only show things coming in from now on.

But I want to show this on a big screen along with other dashboards
In this case, you may to consider using the Slideshow app. That app allows you to create shows consisting of a series of dashboards. It also supports a "dark-mode" that loos nice on a big-screen. Another option is using a browser plugin to cycle through dashboards.

0 Karma

New Member

Is there a way to set up auto refresh (like a dashboard) without using real-time search.

0 Karma

Champion

Not at the current time. Could you let me know why you would prefer that over a real-time search? I'm just wondering because this may be something we should implement in the future and I wanted to know your use-case.

0 Karma

Communicator

Hi Luke,

By making a real time search, do you mean turning all my correlation searches and alerts, which are triggering a notable event, into Real time searches?

Also, my case is quite similar to mr_t2083, I want to refresh my Incident Review Dashboard without turning my searches into real time searches. I prefer that because we have a huge number of CRs and alerts firing notables in our environment, along with reports/dashboards running in the background, and we cannot afford to run them all at the same time, as real time searches can't be cron scheduled. Running them all at the same time will hog our Server's memory and will create a huge memory utilization problems, leading to server going down (has happened with us). Even if we figure out a way to run them, real time searches aren't preferred. Can we liase and work out the Incident review auto updation feature?

0 Karma