Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Workflow status and ownership reset after 2.41 to 3.22 ES upgrade

jemeche
New Member
‎05-10-2015 10:47 AM

I recently upgraded to ES 3.2.2 on a splunk 6.2.2 deployment.

For some reason all notable events have been reset to status new and the owner has been changed to unassigned.

I also can not query events using the incident_review macro any longer.

The incident_review.csv file still contains all the status and comment changes that have been made, but for some reason none of that is being populated into splunk.

Any ideas?

0 Karma
Reply

LukeMurphey
Champion
‎05-11-2015 10:19 AM

ES 3.2.1 no longer users the CSV lookup file to maintain the state of notable events; it now uses a KV-store (necessary in order to support Search Head Clustering). ES 3.2.1 automatically migrates the contents of incident_review.csv to the KV-store upon upgrade.

You should still be able to view the contents using the incident_review lookup though since the macro refers to incident_review_lookup which now points to the KV-store based lookup (unless customizations were made on your install).

I'm not sure why the statuses were reset. I would recommend opening a support case to troubleshoot the issue.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...