Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Where can I find the incident review logs (incident_review.csv)?

bipin82
New Member
‎04-26-2016 06:52 AM

Hello:

Can anyone help me in finding the Incident review logs? Will it be there in the Indexer or the Search heads? I tried doing an ssh to both Indexer and search heads, but couldn't find the incident_review.csv file.

Thanks

Bipin

0 Karma
Reply

Vinayak
New Member
‎05-04-2021 05:49 AM

in es apps search tab in searching window just search for `notable`. you will get all the deatils.

0 Karma
Reply

LukeMurphey
Champion
‎04-26-2016 10:23 AM

Newer versions of ES no longer store the Incident Review data in a lookup file. It is now kept in the KV store. The collection name is "es_notable_events". You can view this in search using inputlookup:

| inputlookup append=t es_notable_events
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top