Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Investigations disappearing in Analyst Queue

Ian0706
Explorer
‎03-30-2026 07:44 AM

I have recently installed Splunk Enterprise Security v8.4 on a fresh Splunk instance after successfully using v8.2 on a previous instance. However I have an issue when using investigations. To even create an investigation I had to manually add the "default" investigation type. The issue I am having now is that the investigation pops up for a short time when refreshing the queue and then disappear after that. Is this a known issue, will this require an ESS reinstall?

example2.gif

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kknairr
Contributor
‎03-30-2026 11:22 AM

@Ian0706 Your issue with investigations is actually documented in Splunk ES 8.4 under Known issues. No workaround mentioned yet. Hence, re-install of the same version won't be effective. We usually maintain n-1 versions in Splunk as a best practice to avoid such issues and going forward, please review Known issues for the version before doing a version upgrade to assess any potential impact due to upgrade.

splunk-comm.png

Ref: 

Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kknairr
Contributor
‎03-30-2026 11:22 AM

@Ian0706 Your issue with investigations is actually documented in Splunk ES 8.4 under Known issues. No workaround mentioned yet. Hence, re-install of the same version won't be effective. We usually maintain n-1 versions in Splunk as a best practice to avoid such issues and going forward, please review Known issues for the version before doing a version upgrade to assess any potential impact due to upgrade.

splunk-comm.png

Ref: 

Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎03-30-2026 11:53 AM

Thank you for the help. I did not think to check for a known issues page, I guess this calls for a downgrade.

0 Karma
Reply
Solved! Jump to solution

kknairr
Contributor
‎03-30-2026 07:59 PM

@Ian0706 No worries. Yes, since we don't have any workarounds published on this one yet.

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎03-30-2026 08:07 AM

I apologize for the awful GIF, i didn't know that it would play on a very fast repeat. However these investigations are also seen in the "mc_investigations_lookup".

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...