Splunk Enterprise Security
Highlighted

Incident Review | Search is waiting for input...

Explorer

Hello all!
I'm having trouble with Enterprise Security => Incident Review page.
all time "Search is waiting for input..."
Urgency is empty, grafic is empty.
but at Security Posture page i have events.
Has anyone had this problem in past?
how can i troubleshoot it?alt text

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

SplunkTrust
SplunkTrust

Hi @virchenko,

You need to provide Correlation Search Name and you need to provide timeframe as well instead of "All Time".

If you want to check Notable Events from Security Posture page in Incident Review then just click on Correlation Search Name under "Top Notable Events" which will drilldown (redirect) you to Incident Review page.

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

Explorer

thanks for answer
it'll work, when it page is work correct.
i haven't ane reaction of changing Correlation Search Name or other filters.

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

SplunkTrust
SplunkTrust

Hi @virchenko,

You need to provide Correlation Search Name and you need to provide timeframe as well instead of "All Time".

If you want to check Notable Events from Security Posture page in Incident Review then just click on Correlation Search Name under "Top Notable Events" which will drilldown (redirect) you to Incident Review page.

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

Splunk Employee
Splunk Employee

Hi @virchenko. Thanks for your question! Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues.

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

New Member

Have you managed to solve it? The same thing happens to me with the PCI app, I have identified errors within the internal logs with the search "index = _internal sourcetype = splunkweb_service component = error" apparently it is a js theme

In my case it looks for a js that does not find InvestigationBarViewWrapper.js in / etc / apps / SplunkEnterpriseSecuritySuite / appserver / static / but I can not find it if it is generated dynamically.

509 INFO [5ba2e020817f21c03fa2d0] error:311 - Masking the original 404 message: 'The path '/en-US/static/@a0c72a66db66/app/SplunkEnterpriseSecuritySuite/InvestigationBarViewWrapper.js' was not found.' with 'Page not found!' for security reasons

But I can not solve it 😞 Do you have any new status?

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

Path Finder

I have the same problem, running Splunk 7.2.1 and Splunk ES 4.7.2. Anyone knows how to fix it please?

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

Path Finder

Ok, figure out the "problem" for us at least. Splunk ES 4.7.2 is not compatible with Splunk 7.2.1. We roll back to Splunk 6.6, and this error message disappeared.

0 Karma
Highlighted

Re: Incident Review | Search is waiting for input...

Engager

Why not upgrade Splunk ES instead? There are new features which makes it worthwhile.

0 Karma