Solved: Why do results differ between ESS Security Posture...

hazekamp · ‎02-14-2011

Sometimes when I drill down on information displayed in the Security Posture dashboard there is a different number of raw events displayed in Incident Review. Shouldn't these numbers be equivelant? (SOLN-164)

hazekamp · ‎02-14-2011

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

View solution in original post

hazekamp · ‎02-14-2011

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

Why do results differ between ESS Security Posture and Incident Review dashboards?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!