Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Investigations disappearing in Analyst Queue

Ian0706
Explorer
‎03-30-2026 07:44 AM

I have recently installed Splunk Enterprise Security v8.4 on a fresh Splunk instance after successfully using v8.2 on a previous instance. However I have an issue when using investigations. To even create an investigation I had to manually add the "default" investigation type. The issue I am having now is that the investigation pops up for a short time when refreshing the queue and then disappear after that. Is this a known issue, will this require an ESS reinstall?

example2.gif

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kknairr
Communicator
‎03-30-2026 11:22 AM

@Ian0706 Your issue with investigations is actually documented in Splunk ES 8.4 under Known issues. No workaround mentioned yet. Hence, re-install of the same version won't be effective. We usually maintain n-1 versions in Splunk as a best practice to avoid such issues and going forward, please review Known issues for the version before doing a version upgrade to assess any potential impact due to upgrade.

splunk-comm.png

Ref: 

Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kknairr
Communicator
‎03-30-2026 11:22 AM

@Ian0706 Your issue with investigations is actually documented in Splunk ES 8.4 under Known issues. No workaround mentioned yet. Hence, re-install of the same version won't be effective. We usually maintain n-1 versions in Splunk as a best practice to avoid such issues and going forward, please review Known issues for the version before doing a version upgrade to assess any potential impact due to upgrade.

splunk-comm.png

Ref: 

Known issues | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-02-04T21:32:01.448Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎03-30-2026 11:53 AM

Thank you for the help. I did not think to check for a known issues page, I guess this calls for a downgrade.

0 Karma
Reply
Solved! Jump to solution

kknairr
Communicator
‎03-30-2026 07:59 PM

@Ian0706 No worries. Yes, since we don't have any workarounds published on this one yet.

0 Karma
Reply
Solved! Jump to solution

Ian0706
Explorer
‎03-30-2026 08:07 AM

I apologize for the awful GIF, i didn't know that it would play on a very fast repeat. However these investigations are also seen in the "mc_investigations_lookup".

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...