Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Incident Review Dashboard incidents storage

coolwater77
Explorer
‎08-23-2013 08:30 AM

As I understand the splunk app for Enterprise Security creates a number of TSIDX namespaces that are used to store summary statistical data used by the dashboards and correlation searches throughout the app. And I guess the limit for the length of time that namespaces are retained is specified in the $SPLUNK_HOME/etc/apps//default/tsidx_retention.conf file.

The only available namespace that i see for notable events is the "sa_notables" I am trying to understand if this is the namespace that the incident review dashboard uses to store all its incidents and also would like to know if all the tickets that are managed by the incident review dashboards are also stored in the same name space and how to setup a retention to store all the tickets that my security operations have worked on

0 Karma
Reply

LukeMurphey
Champion
‎08-23-2013 09:23 AM

The output from the correlation searches (the notable events) are actually stored in a summary index called "notable". This index is managed by whatever retention policy you have defined for indexes.

The incident review dashboard stores the case statuses and notes in a lookup file (incident_review.csv) which won't get truncated (we keep the status changes forever).

BTW: You are correct, tsidx_retention.conf is used to limit the size of the TSIDX namespaces.

Reply

LukeMurphey
Champion
‎08-23-2013 11:06 AM

Depends what kind of access you are talking about.

The Incident Review Audit page in ES provides a view for looking at the contents.

On the file system, it is stored in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv.

You can also do a search to get back the contents:

| incident_review

0 Karma
Reply

coolwater77
Explorer
‎08-23-2013 09:50 AM

Thank you . How can I access the incident_review.csv file from the ES App.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...