Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Workflow status and ownership reset after 2.41 to 3.22 ES upgrade

jemeche
New Member
‎05-10-2015 10:47 AM

I recently upgraded to ES 3.2.2 on a splunk 6.2.2 deployment.

For some reason all notable events have been reset to status new and the owner has been changed to unassigned.

I also can not query events using the incident_review macro any longer.

The incident_review.csv file still contains all the status and comment changes that have been made, but for some reason none of that is being populated into splunk.

Any ideas?

0 Karma
Reply

LukeMurphey
Champion
‎05-11-2015 10:19 AM

ES 3.2.1 no longer users the CSV lookup file to maintain the state of notable events; it now uses a KV-store (necessary in order to support Search Head Clustering). ES 3.2.1 automatically migrates the contents of incident_review.csv to the KV-store upon upgrade.

You should still be able to view the contents using the incident_review lookup though since the macro refers to incident_review_lookup which now points to the KV-store based lookup (unless customizations were made on your install).

I'm not sure why the statuses were reset. I would recommend opening a support case to troubleshoot the issue.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...