Splunk Enterprise Security: Why are the colored ic...

miront · ‎11-29-2017

I want to combine multiple notable events into a single search so I am using this: eval urgency=case(infection_count<=1, "Low", infection_count>1 AND infection_count<=5, "Medium", infection_count>5 AND infection_count<=10, "High") to manually set urgency. When I do this, the Red/Yellow/Green/Blue icons that typically accompany the urgency are missing. In the attached screenshot you will see one that has the yellow icon. This was achieved by manually setting the urgency via the dropdown on the incident review dashboard. The rest are missing. Any ideas?

dflodstrom · ‎04-08-2019

To solve this issue I used the lower case values in my eval. So in your case try: eval urgency=case(infection_count<=1, "low", infection_count>1 AND infection_count<=5, "medium", infection_count>5 AND infection_count<=10, "high")

smoir_splunk · ‎11-29-2017

@miront, are there any console log errors?

Splunk Enterprise Security: Why are the colored icons missing from the urgency field when manually setting urgency with eval?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation