Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the Notable Incident Review Status dropdown have "No Matches"?

cjacklum
Engager
‎08-19-2022 08:03 AM

We are in SplunkCloud with ES 7.0.0

As a user with the sc_admin or ess_admin role when selecting an incident to edit, the drop-down for "Status" gives no matches. All other drop-downs give options as expected.

We've tried enable/disable all statuses, creating new statuses, adding/removing transitions roles for ALL statuses, granting permissions to edit_reviewstatus for additional roles, granting write permissions to kvstore reviewstatuses_lookup, and several other things.

Is there a key thing we are missing to be able to change status on incidents with the ess_admin user?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cjacklum
Engager
‎09-06-2022 07:53 AM

This turned out to be the sharing permissions on Enterprise Security App was set to "App".
The fix was to change this to "Global".

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cjacklum
Engager
‎09-06-2022 07:53 AM

This turned out to be the sharing permissions on Enterprise Security App was set to "App".
The fix was to change this to "Global".

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top