Splunk Enterprise Security

Splunk Enterprise Security: How can I change the sort order of the incident review page?

leonphelps_s
Path Finder

How can I change the sort order of the incident review page within Splunk Enterprise Security? The default appears to be _time, but we'd like to do something urgency and then time or custom field and then time.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Click the table header to sort by that column.

0 Karma

leonphelps_s
Path Finder

Thanks Martin, you were part of the group that was discussing this with me in Slack. I'll have to do some testing but when I first checked it didn't seem to support sorting.. and then sub sorting.. because I want it to be reverse time sorted after being sorted by severity.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@leonphelps_s - Were you able to find a solution to your answer? Did martin_mueller help generate that answer at all? If yes, please don't forget to post an additional comment within this thread or post a new answer if you were able to come up with a brand new solution. Then resolve your post by clicking "Accept" so others can find it. If you need additional help, please leave a comment with more feedback. Thanks!

0 Karma

leonphelps_s
Path Finder

Martin was helpful in general as always but did not answer my question. I was able to do this by editing the incident_review.js which is obviously an unsupported modification.

0 Karma

mikeyclarky
New Member

Super old topic, but shocking that it seems Splunk hasn't brought this functionality into the product. Would you be open to sharing the modifications you made to incident_review.js?

 

Thank you

0 Karma

AnthonyTibaldi
Path Finder

I don't think the sort change is possible using the standard "Incident Review" Dashboard

You could make a search that displays what you are looking for a separate dashboard or you could add a dropdown to the "Incident Review" dropdown that would only show open critical incidents or something of that nature.

Here is a link that would help.

http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu

0 Karma

leonphelps_s
Path Finder

Thanks Anthony. I've used that link before to show unassigned or change the default time window, but it does not support the level of sort/grouping I'm asking for. Thanks again.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...