How can I change the sort order of the incident review page within Splunk Enterprise Security? The default appears to be _time, but we'd like to do something urgency and then time or custom field and then time.
Click the table header to sort by that column.
Thanks Martin, you were part of the group that was discussing this with me in Slack. I'll have to do some testing but when I first checked it didn't seem to support sorting.. and then sub sorting.. because I want it to be reverse time sorted after being sorted by severity.
@leonphelps_s - Were you able to find a solution to your answer? Did martin_mueller help generate that answer at all? If yes, please don't forget to post an additional comment within this thread or post a new answer if you were able to come up with a brand new solution. Then resolve your post by clicking "Accept" so others can find it. If you need additional help, please leave a comment with more feedback. Thanks!
Martin was helpful in general as always but did not answer my question. I was able to do this by editing the incident_review.js which is obviously an unsupported modification.
Super old topic, but shocking that it seems Splunk hasn't brought this functionality into the product. Would you be open to sharing the modifications you made to incident_review.js?
Thank you
I don't think the sort change is possible using the standard "Incident Review" Dashboard
You could make a search that displays what you are looking for a separate dashboard or you could add a dropdown to the "Incident Review" dropdown that would only show open critical incidents or something of that nature.
Here is a link that would help.
http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu
Thanks Anthony. I've used that link before to show unassigned or change the default time window, but it does not support the level of sort/grouping I'm asking for. Thanks again.