Splunk Enterprise Security

Splunk Enterprise Security: Why won't a workflow action open in a new search from the Incident Review page?

chiltonb
Explorer

I have made a workflow action item that looks up details on an IP address when there is a threat hit. This works when it is ran from the Search and Reporting app, but when I try to run it from the Incident Review page within Splunk Enterprise Security (ES) it defaults back to ES and does not open it in a new search. Does anyone know why this won't allow me to open in a new search?

0 Karma
1 Solution

jstoner_splunk
Splunk Employee
Splunk Employee

If I read this correctly, you are in IR, you build your own field menu workflow and you want to run a search. You put in a search string that worked correctly before. You are running in the current app context which should be ok.

What view are you using? It is not a mandatory field but when doing an integration of my own, I setting the view field to search and then opened a new window would work decently.

View solution in original post

jstoner_splunk
Splunk Employee
Splunk Employee

If I read this correctly, you are in IR, you build your own field menu workflow and you want to run a search. You put in a search string that worked correctly before. You are running in the current app context which should be ok.

What view are you using? It is not a mandatory field but when doing an integration of my own, I setting the view field to search and then opened a new window would work decently.

jstoner_splunk
Splunk Employee
Splunk Employee

See attached screenshot.  If you leave the view blank it will default to the view you are in which would be incident_response.  To get the search to open in a new window, try putting the term search in that open in view text box and see if that helps.

chiltonb
Explorer

That worked, I didn't type search in the "Open in view" box, I thought that it would have been a drop down selection.

Thanks!

0 Karma

chiltonb
Explorer

Correct im in Incident Review, I then go to actions and then to the workflow I have created. The work flow is set to open in a new window.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...