Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Mission Control missing Event Action
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mission Control missing Event Action
On-prem Splunk Enterprise Security environment, I just recently upgraded to Enterprise Security 9.4.1 and the ES app to 8.0.3.
I was watching a video on using Mission Control, and an investigation was created from a notable event. Within the investigation, a search was done, to add it to the Investigation. I want to do this, but when I select the evetn action drop down, within the Search results, I don't have much there, just the default Splunk Event Actions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I havent got access to ES today to check this, however it could be the context of the app you are using for the search, in the video can you see which app they are in when they run the search? Are you in the same app when you run your search? It could be that the event action is only
When you are running your search, is it in the same app? (Im assuming Mission Control or ES app..)
If you're able to share a link to the video I can check for you although I have a feeling that this is an ES7 feature that might not be in ES8 (Yet?) - The more I think about it, the more I think this behaviour is different in ES8 and you're expected to create Investigations from the Analyst Queue and then work from there?
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for the info!
The app I was working in was Mission Control, going along with the Video, but your suspicion of ES version is probably spot on. This video is two years old, and I just upgraded to the latest version recently.
This was the video:
https://youtu.be/xhfb5Cc11Tg?t=177
I understand what you mean about creating the event from the analyst queue. I'm just confused about how to add more searched events when performing manual searches. There is an events tab within the investigation. What I'm seeing you would go to the Search tab and if you find anything else of interest you should be able to add it along to your investigation created. Right now the only way I can populate additional searches into this tab, is by using the add events macro, which works fine, but this can cause accidental additions if my SPL catches other entries in my search which I don't want added to the investigation. Seems like a better way would be to allow me to manually add the event by finding the search myself and telling splunk to add it.
Hope that makes sense?
I did training on the previous version of Splunk for investigations, this newer Mission Control is totally different and appears to lack some of the functionality in the older version? Or perhaps I'm just missing something in terms of workflow for investigations in this version of Splunk ES - I see Response is probably the primary tab to work in, but it feels lacking at the moment. Probably because everything is defaulted at the moment.
Aligning Observability Costs with Business Value: Practical Strategies
Mastering Data Pipelines: Unlocking Value with Splunk
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
