Splunk Enterprise Security

Why is Incident Review not working after upgrade of CIM and Splunk Enterprise Security to 4.1.1?


Incident review is not working after Splunk ESS 4.1.1 and CIM Upgrade.

Also checked for data sources and their respective correlation searches enabled, but still i cant see any notable events or data in incident review?

0 Karma

Splunk Employee
Splunk Employee

@splunkrajkrk - Did the answer provided by ekost help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

Splunk Employee
Splunk Employee
  • The Incident Review page defaults to the last 24 hours. Select a different time range to see if older notable events appear.
  • Have a look into the index named "notable,” and verify there's data. For example, call macros such as es_notable_events to show data in the index. Available fields are listed on the dev site here.
  • Check that the correlation searches responsible for triggering notable events are enabled, and running. Correlation searches are found under: Configure > Content Management in recent releases.
  • Check that the KVStore is up and returning results, as some of the Notable Events fields are stored there. For example, call a macro that will display data from the KVStore such as |inputlookup incident_review_lookup. There’s also REST commands for KVStore are on the dev site here.

If none of these results in a clue towards what is wrong, consider filing a support case.

Path Finder

Do we have answer to this question yet? I have also upgraded the splunk ES to latest version and Incident Review page is not loading.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...