Splunk Enterprise Security

Splunk Enterprise Security: How can I change the sort order of the incident review page?

leonphelps_s
Path Finder

How can I change the sort order of the incident review page within Splunk Enterprise Security? The default appears to be _time, but we'd like to do something urgency and then time or custom field and then time.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Click the table header to sort by that column.

0 Karma

leonphelps_s
Path Finder

Thanks Martin, you were part of the group that was discussing this with me in Slack. I'll have to do some testing but when I first checked it didn't seem to support sorting.. and then sub sorting.. because I want it to be reverse time sorted after being sorted by severity.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@leonphelps_s - Were you able to find a solution to your answer? Did martin_mueller help generate that answer at all? If yes, please don't forget to post an additional comment within this thread or post a new answer if you were able to come up with a brand new solution. Then resolve your post by clicking "Accept" so others can find it. If you need additional help, please leave a comment with more feedback. Thanks!

0 Karma

leonphelps_s
Path Finder

Martin was helpful in general as always but did not answer my question. I was able to do this by editing the incident_review.js which is obviously an unsupported modification.

0 Karma

mikeyclarky
New Member

Super old topic, but shocking that it seems Splunk hasn't brought this functionality into the product. Would you be open to sharing the modifications you made to incident_review.js?

 

Thank you

0 Karma

AnthonyTibaldi
Path Finder

I don't think the sort change is possible using the standard "Incident Review" Dashboard

You could make a search that displays what you are looking for a separate dashboard or you could add a dropdown to the "Incident Review" dropdown that would only show open critical incidents or something of that nature.

Here is a link that would help.

http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu

0 Karma

leonphelps_s
Path Finder

Thanks Anthony. I've used that link before to show unassigned or change the default time window, but it does not support the level of sort/grouping I'm asking for. Thanks again.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...