Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Investigations disappearing in Analyst Queue

Ian0706
Explorer
‎03-30-2026 07:44 AM

I have recently installed Splunk Enterprise Security v8.4 on a fresh Splunk instance after successfully using v8.2 on a previous instance. However I have an issue when using investigations. To even create an investigation I had to manually add the "default" investigation type. The issue I am having now is that the investigation pops up for a short time when refreshing the queue and then disappear after that. Is this a known issue, will this require an ESS reinstall?

example2.gif

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kknairr
Contributor
‎03-30-2026 11:22 AM

@Ian0706 Your issue with investigations is actually documented in Splunk ES 8.4 under Known issues. No workaround mentioned yet. Hence, re-install of the same version won't be effective. We usually maintain n-1 versions in Splunk as a best practice to avoid such issues and going forward, please review Known issues for the version before doing a version upgrade to assess any potential impact due to upgrade.

splunk-comm.png

Ref: 

Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kknairr
Contributor
‎03-30-2026 11:22 AM

@Ian0706 Your issue with investigations is actually documented in Splunk ES 8.4 under Known issues. No workaround mentioned yet. Hence, re-install of the same version won't be effective. We usually maintain n-1 versions in Splunk as a best practice to avoid such issues and going forward, please review Known issues for the version before doing a version upgrade to assess any potential impact due to upgrade.

splunk-comm.png

Ref: 

Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎03-30-2026 11:53 AM

Thank you for the help. I did not think to check for a known issues page, I guess this calls for a downgrade.

0 Karma
Reply
Solved! Jump to solution

kknairr
Contributor
‎03-30-2026 07:59 PM

@Ian0706 No worries. Yes, since we don't have any workarounds published on this one yet.

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎03-30-2026 08:07 AM

I apologize for the awful GIF, i didn't know that it would play on a very fast repeat. However these investigations are also seen in the "mc_investigations_lookup".

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...