Splunk Enterprise Security

Why do results differ between ESS Security Posture and Incident Review dashboards?

Builder

Sometimes when I drill down on information displayed in the Security Posture dashboard there is a different number of raw events displayed in Incident Review. Shouldn't these numbers be equivelant? (SOLN-164)

1 Solution

Builder

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

View solution in original post

Builder

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

View solution in original post