Splunk Enterprise Security

Why is risk event timeline not working and giving an Error: "Risk event has missing or invalid fields"?

New Member

I am trying to pull up the Risk Event Timeline for a Risk Notable in my Incident Review Dashboard.   Every time I click the link, it gives me an error saying "Risk event has missing or invalid fields".  

I know that Risk Event Timeline only works for the risk_object field on Risk Notables.

  1. We have noticed a couple of issues that were related to Search-Driven lookups being disabled.  Might there be a lookup table that is referenced here that might be in the same boat?
  2. Is there somewhere that defines what fields are required in the Risk Notable?
  3. Any way to troubleshoot what is missing or incorrect?
Tags (1)
0 Karma


For me, the risk event timeline works for the ES built-in RIRs such as "Risk - 24 Hour Risk Threshold Exceeded - Rule". However we don't use them and we have our own RIRs, for which we had the same problem as the OP.

First step is to make sure our RIRs are mentioned in the "risk_notables" event type, otherwise the option to open the risk event timeline isn't there.

Then, looking at "Risk - 24 Hour Risk Threshold Exceeded - Rule" it produces the following fields:
source (multivalue fields with the name of RR correlations)
I can't confirm which ones are indeed required, but adding these to my RIR got rid of the error message.

The next hurdle was "Risk event search did not return any results. Please verify notable drilldown search."

This was solved by copying the drilldown search from "Risk - 24 Hour Risk Threshold Exceeded - Rule" to the drilldown search of my RIR.

Now the risk event timeline works for us 🙂 Of course, it's too limited to be useful but it's nice to be aligned with what ES is doing in case it one day becomes useful.

Tags (1)
0 Karma


We have the same problem.  Here is a screen shot:risk timeline.PNG

I would love for this question from the original poster to be answered:

"Is there somewhere that defines what fields are required in the Risk Notable?"


@gabriel_vasseur @stewlarsen @marysan  - Not sure if you have managed to resolve this.

I had encountered the same issue and i had to change the drill-down to ensure calculated_risk_score is available in addition to all risk_* fields - https://docs.splunk.com/Documentation/ES/7.1.1/RBA/TopologyVisualization 

If this helps, pls mark this accepted. thx

0 Karma


I did resolve this issue for us, as per my other post on this page.

Weirdly it didn't involved the calculated_risk_score field as we just don't have that field at all. Weird!

0 Karma



please put a picture or screenshot 

Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...