Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Why won't a workflow action open in a new search from the Incident Review page?

chiltonb
Explorer
‎02-06-2017 11:59 AM

I have made a workflow action item that looks up details on an IP address when there is a threat hit. This works when it is ran from the Search and Reporting app, but when I try to run it from the Incident Review page within Splunk Enterprise Security (ES) it defaults back to ES and does not open it in a new search. Does anyone know why this won't allow me to open in a new search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎02-06-2017 12:49 PM

If I read this correctly, you are in IR, you build your own field menu workflow and you want to run a search. You put in a search string that worked correctly before. You are running in the current app context which should be ok.

What view are you using? It is not a mandatory field but when doing an integration of my own, I setting the view field to search and then opened a new window would work decently.

View solution in original post

Reply
Solved! Jump to solution
Solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎02-06-2017 12:49 PM

If I read this correctly, you are in IR, you build your own field menu workflow and you want to run a search. You put in a search string that worked correctly before. You are running in the current app context which should be ok.

What view are you using? It is not a mandatory field but when doing an integration of my own, I setting the view field to search and then opened a new window would work decently.

Reply
Solved! Jump to solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎02-07-2017 05:15 AM

See attached screenshot. If you leave the view blank it will default to the view you are in which would be incident_response. To get the search to open in a new window, try putting the term search in that open in view text box and see if that helps.

Preview file
1 KB
Reply
Solved! Jump to solution

chiltonb
Explorer
‎02-07-2017 07:42 AM

That worked, I didn't type search in the "Open in view" box, I thought that it would have been a drop down selection.

Thanks!

0 Karma
Reply
Solved! Jump to solution

chiltonb
Explorer
‎02-06-2017 01:02 PM

Correct im in Incident Review, I then go to actions and then to the workflow I have created. The work flow is set to open in a new window.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...