Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why do results differ between ESS Security Posture and Incident Review dashboards?

hazekamp
Builder
‎02-14-2011 09:15 PM

Sometimes when I drill down on information displayed in the Security Posture dashboard there is a different number of raw events displayed in Incident Review. Shouldn't these numbers be equivelant? (SOLN-164)

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎02-14-2011 09:22 PM

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎02-14-2011 09:22 PM

The Security Posture dashboard information is displayed based on saved searches that run in the background (scheduled to run every 10 minutes by default). However, when a data point is drilled into, the Incident Review dashboard will kick off a search that will bring back the most current results. Since the drill down search and the dashboard searches have differing time frames, the results could potentially be different as well.

It is also worth noting that the since the Security Posture dashboard is refreshed based on scheduled saved searches, refreshing this dashboard more frequently than the search schedule will not update ones result set.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...