Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Where can I find the incident review logs (incident_review.csv)?

bipin82
New Member
‎04-26-2016 06:52 AM

Hello:

Can anyone help me in finding the Incident review logs? Will it be there in the Indexer or the Search heads? I tried doing an ssh to both Indexer and search heads, but couldn't find the incident_review.csv file.

Thanks

Bipin

0 Karma
Reply

Vinayak
New Member
‎05-04-2021 05:49 AM

in es apps search tab in searching window just search for `notable`. you will get all the deatils.

0 Karma
Reply

LukeMurphey
Champion
‎04-26-2016 10:23 AM

Newer versions of ES no longer store the Incident Review data in a lookup file. It is now kept in the KV store. The collection name is "es_notable_events". You can view this in search using inputlookup:

| inputlookup append=t es_notable_events
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top