Here is a procedure that could be attempted to fix the old notable that got unassigned.
- Check if the notable are unassigned on all SHC, if not maybe restore lookup incident_review_lookup
- Check for backup and see if restoring may be an option.
- The other option will be to re-build incident_review from audit data, which means we can only restore data for last 30days ( assuming audit retention is 30 days) Which means we can only rebuild for last 30 days.
- Look at the incident_review_look that is stored in KVstore to see what is there and how many:
|inputlookup incident_review_lookup
Back up the incident_review_lookup:
|inputlookup incident_review_lookup |outputlookup support.csv
Verify you back up the incident_review_lookup:
|inputlookup support.csv
Check audit for notable events set time picker to all time verify the data looks good:
index=_audit sourcetype=incident_review
| rex "@@\w+,(?[^,]+),(?[^,]),(?[^,]),(?[^,]),(?.</em>),(?<user>[^,]+),(?<something>[^,]+)" <br>
| eval time=_time <br>
| table comment owner rule_id rule_name status time urgency user </p></li>
<li><p>Add the events found in Audit to the incident_review_lookup make sure time picker is set to all time: </p>
<p>index=_audit sourcetype=incident_review <br>
| rex "@@\w+,(?<rule_name>[^,]+),(?<status>[^,]<em>),(?<owner>[^,]</em>),(?<urgency>[^,]<em>),(?<comment>.</em>),(?<user>[^,]+),(?<something>[^,]+)" <br>
| eval time=_time <br>
| table comment owner rule_id rule_name status time urgency user <br>
| outputlookup append=t incident_review_lookup </p></li>
<li><p>Verify that your original events plus the audit event are now in inciden_review_lookup: </p></li>
<li><p>|inputlookup incident_review_lookup</p></li>
</ul>
</ul>
