Splunk Enterprise Security

Splunk Enterprise Security: How can I change the sort order of the incident review page?

leonphelps_s
Path Finder

How can I change the sort order of the incident review page within Splunk Enterprise Security? The default appears to be _time, but we'd like to do something urgency and then time or custom field and then time.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Click the table header to sort by that column.

0 Karma

leonphelps_s
Path Finder

Thanks Martin, you were part of the group that was discussing this with me in Slack. I'll have to do some testing but when I first checked it didn't seem to support sorting.. and then sub sorting.. because I want it to be reverse time sorted after being sorted by severity.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@leonphelps_s - Were you able to find a solution to your answer? Did martin_mueller help generate that answer at all? If yes, please don't forget to post an additional comment within this thread or post a new answer if you were able to come up with a brand new solution. Then resolve your post by clicking "Accept" so others can find it. If you need additional help, please leave a comment with more feedback. Thanks!

0 Karma

leonphelps_s
Path Finder

Martin was helpful in general as always but did not answer my question. I was able to do this by editing the incident_review.js which is obviously an unsupported modification.

0 Karma

mikeyclarky
New Member

Super old topic, but shocking that it seems Splunk hasn't brought this functionality into the product. Would you be open to sharing the modifications you made to incident_review.js?

 

Thank you

0 Karma

AnthonyTibaldi
Path Finder

I don't think the sort change is possible using the standard "Incident Review" Dashboard

You could make a search that displays what you are looking for a separate dashboard or you could add a dropdown to the "Incident Review" dropdown that would only show open critical incidents or something of that nature.

Here is a link that would help.

http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu

0 Karma

leonphelps_s
Path Finder

Thanks Anthony. I've used that link before to show unassigned or change the default time window, but it does not support the level of sort/grouping I'm asking for. Thanks again.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...