Splunk Enterprise Security

Why is Incident Review not working after upgrade of CIM and Splunk Enterprise Security to 4.1.1?

splunkrajkrk
Explorer

Incident review is not working after Splunk ESS 4.1.1 and CIM Upgrade.

Also checked for data sources and their respective correlation searches enabled, but still i cant see any notable events or data in incident review?

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@splunkrajkrk - Did the answer provided by ekost help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

ekost
Splunk Employee
Splunk Employee
  • The Incident Review page defaults to the last 24 hours. Select a different time range to see if older notable events appear.
  • Have a look into the index named "notable,” and verify there's data. For example, call macros such as es_notable_events to show data in the index. Available fields are listed on the dev site here.
  • Check that the correlation searches responsible for triggering notable events are enabled, and running. Correlation searches are found under: Configure > Content Management in recent releases.
  • Check that the KVStore is up and returning results, as some of the Notable Events fields are stored there. For example, call a macro that will display data from the KVStore such as |inputlookup incident_review_lookup. There’s also REST commands for KVStore are on the dev site here.

If none of these results in a clue towards what is wrong, consider filing a support case.

SNaikwade
Path Finder

Do we have answer to this question yet? I have also upgraded the splunk ES to latest version and Incident Review page is not loading.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...