Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Incident Review Incidents Disappear when search completes

miront
Explorer
‎03-22-2016 07:10 PM

This is an odd issue. After a restart of Splunk my incident review dashboard will show all of my incidents as long as I filter out high.

When I initially land on incident review and it does its autorun 24h search I briefly see all of my incidents before they all disappear. It still gives me the option to select all xx incidents so they are there, just not displaying.

If I filter out the one high event (by greying out the 'high' box) everything displays fine.

I changed the urgency on the one high to critical and re-ran the search to include the high results as well. Still, everything disappears.

High seems to be the only thing causing this issue. All other combinations of searches I have tried work fine. Anything that is paired with high aside from high by itself will not display the incidents.

UPDATE
2016-03-22 19:22:24,045 ERROR [56f1fde0097f0d841f4290] utility:49 - name=javascript, class=Splunk.Error, lineNumber=9, message=Uncaught TypeError: Cannot read property 'toString' of undefined, fileName=https://10.10.10.10:9000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=*&...

Tags (2)
0 Karma
Reply

smeier
Path Finder
‎09-02-2017 08:50 AM

I had possibly a related issue when stumbling upon your post. In the error console this was logged-

incident_review.js:6 Uncaught TypeError: s.replace is not a function
    at Object.getFieldValue (https://prdbsx0005:8443/en-US/static/@e82289930bdd:302/app/SA-ThreatIntelligence/js/pages/incident_review.js:6:2278026)
    at eval (eval at x.template (...

In my case it turned out to be someone had put a variable substitution in the correlation search name (e.g. $username$) instead of the notable event title. This was causing the error.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...