Splunk Enterprise Security

Splunk Enterprise Security: Where can I find the incident review logs (incident_review.csv)?

bipin82
New Member

Hello:

Can anyone help me in finding the Incident review logs? Will it be there in the Indexer or the Search heads? I tried doing an ssh to both Indexer and search heads, but couldn't find the incident_review.csv file.

Thanks

Bipin

0 Karma

Vinayak
New Member

in es apps search tab in searching window just search for `notable`. you will get all the deatils.

0 Karma

LukeMurphey
Champion

Newer versions of ES no longer store the Incident Review data in a lookup file. It is now kept in the KV store. The collection name is "es_notable_events". You can view this in search using inputlookup:

| inputlookup append=t es_notable_events
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...