Splunk Enterprise Security

Splunk Enterprise Security: How can I change the sort order of the incident review page?

Path Finder

How can I change the sort order of the incident review page within Splunk Enterprise Security? The default appears to be _time, but we'd like to do something urgency and then time or custom field and then time.

0 Karma

SplunkTrust
SplunkTrust

Click the table header to sort by that column.

0 Karma

Path Finder

Thanks Martin, you were part of the group that was discussing this with me in Slack. I'll have to do some testing but when I first checked it didn't seem to support sorting.. and then sub sorting.. because I want it to be reverse time sorted after being sorted by severity.

0 Karma

Splunk Employee
Splunk Employee

@leonphelps_s - Were you able to find a solution to your answer? Did martin_mueller help generate that answer at all? If yes, please don't forget to post an additional comment within this thread or post a new answer if you were able to come up with a brand new solution. Then resolve your post by clicking "Accept" so others can find it. If you need additional help, please leave a comment with more feedback. Thanks!

0 Karma

Path Finder

Martin was helpful in general as always but did not answer my question. I was able to do this by editing the incident_review.js which is obviously an unsupported modification.

0 Karma

Path Finder

I don't think the sort change is possible using the standard "Incident Review" Dashboard

You could make a search that displays what you are looking for a separate dashboard or you could add a dropdown to the "Incident Review" dropdown that would only show open critical incidents or something of that nature.

Here is a link that would help.

http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu

0 Karma

Path Finder

Thanks Anthony. I've used that link before to show unassigned or change the default time window, but it does not support the level of sort/grouping I'm asking for. Thanks again.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!