Just to add to my previous post, beware of using the UI to update the filter_sets KV store, for example through the Splunk App for Lookup File Editing.  Using that method is likely to save the JSON filter content as an escaped string, which will result in the Incident Review page not loading anymore (due to JS errors - which can be seen in the Browser JS Console).

Instead use the REST API endpoints directly (via curl or a script).  Here an example that worked for me:

• Copy the JSON of a Saved Filter and adapt it if needed
• Insert the new Saved Filter into the filter_sets collection under the target user's context (named "test" in my example):

curl -k -u admin:changeme \
https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets \
-H 'Content-Type: application/json' \
-d '{"filters": {"type": {"label": "Type", "values": [] }, "urgency": {"label": "Urgency", "values": [] }, "status": {"label": "Status", "values": ["0", "1", "2", "3"] }, "owner": {"label": "Owner", "values": [] }, "domain": {"label": "Domain", "values": [] }, "search": {"label": "Search", "values": ""}, "source": {"label": "Source", "values": [] }, "tag": {"label": "Tags", "values": [] }, "earliest": {"label": "Earliest", "values": "-24h@h"}, "latest": {"label": "Latest", "values": "now"}, "xref": {"label": "Associations", "values": [] } }, "name": "Open Incidents", "_user": "admin"}'

• Re-read the newly added KV Store entry:

curl -k -u admin:changeme \
https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets

• Make sure the data returned is properly formatted JSON (as opposed to a escaped string) and note the _key value that was assigned.
• (Optionally) If you would like to make the new Saved Filter the default for the target user, add a defaultFilterSet entry with the _key value taken above to the user's user-prefs.conf file (under $SPLUNK_HOME/etc/users/test/user-prefs/local/user-prefs.conf).  For example:

[general]
tz = America/New_York
search_use_advanced_editor = true
search_line_numbers = false
search_auto_format = false
defaultFilterSet = 64497a238e2e60128c6be2e3

Have the target log out and log back in again, and you should be all set.

Thanks for the response and info @ccl0utier !!! My goal is to set a default filter for all who log into this ES.   Is this possible?

SO Rock On! from the GUI one is able to create a default view and pass that to all the users.  Bummer in that it looks like those settings are in a KV Store somewhere and not in a CONF?

Thank you sir!!!