Splunk Enterprise Security

When upgrading to ES 5.1.0 the "Related Events" disappeared.

jhall0007
Path Finder

After upgrading to Splunk 7.1.2 and ES 5.1.0 I no longer see the "Related Events" drilldown option on the incident review page. I do have drilldown settings ("Drill-down name" and "Drill-down search") configured in my correlation search. Is anyone else experiencing this trouble? Are there any new parameters that need to be configured?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Are you referring to the "view contributing events" option? Is it happening for all notable events? Have you cleared your web browser cache and the splunk web cache (with _bump or _refresh) since upgrading?

0 Karma

jhall0007
Path Finder

On ES 5.0.0 it is called "contributing events" on the incident review page, though the wording may have been changed on 5.1.0. It is right between history and Adaptive response.

I have tried:
- Clearing cashe
- Using a private window on a secondary browser
- Using a secondary user
- Used debug/refresh
- Used /_bump
- Completed a second restart of Splunk services

I hadn't tried _bump until you suggested it. Thank you for that, but it is still having the problem.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

That is super strange. I have no explanation for why this would be happening. Is this happening for all events, like I said? Some correlation searches create notable events where, if just one event is contributing, don't have a drilldown and just have the original event that led to the notable getting created.

0 Karma

jhall0007
Path Finder

It is happening for all events, at least some of those events have drilldown searches and names configured. I tried updating the drilldown search name just to see if it would change anything - unfortunately it did not. I appreciate your input.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...