Solved: Why do results differ between ESS Security Posture...

hazekamp · ‎02-14-2011

Sometimes when I drill down on information displayed in the Security Posture dashboard there is a different number of raw events displayed in Incident Review. Shouldn't these numbers be equivelant? (SOLN-164)

hazekamp · ‎02-14-2011

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

View solution in original post

hazekamp · ‎02-14-2011

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

Why do results differ between ESS Security Posture and Incident Review dashboards?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases