Splunk Enterprise Security

Splunk Enterprise Security: Why won't a workflow action open in a new search from the Incident Review page?

chiltonb
Explorer

I have made a workflow action item that looks up details on an IP address when there is a threat hit. This works when it is ran from the Search and Reporting app, but when I try to run it from the Incident Review page within Splunk Enterprise Security (ES) it defaults back to ES and does not open it in a new search. Does anyone know why this won't allow me to open in a new search?

0 Karma
1 Solution

jstoner_splunk
Splunk Employee
Splunk Employee

If I read this correctly, you are in IR, you build your own field menu workflow and you want to run a search. You put in a search string that worked correctly before. You are running in the current app context which should be ok.

What view are you using? It is not a mandatory field but when doing an integration of my own, I setting the view field to search and then opened a new window would work decently.

View solution in original post

jstoner_splunk
Splunk Employee
Splunk Employee

If I read this correctly, you are in IR, you build your own field menu workflow and you want to run a search. You put in a search string that worked correctly before. You are running in the current app context which should be ok.

What view are you using? It is not a mandatory field but when doing an integration of my own, I setting the view field to search and then opened a new window would work decently.

jstoner_splunk
Splunk Employee
Splunk Employee

See attached screenshot.  If you leave the view blank it will default to the view you are in which would be incident_response.  To get the search to open in a new window, try putting the term search in that open in view text box and see if that helps.

chiltonb
Explorer

That worked, I didn't type search in the "Open in view" box, I thought that it would have been a drop down selection.

Thanks!

0 Karma

chiltonb
Explorer

Correct im in Incident Review, I then go to actions and then to the workflow I have created. The work flow is set to open in a new window.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...