Hello, I have problem with Analyst queue: I am not able to add column to Analyst Queue in GUI. When I do this (using the cogwheel icon on Analyst queue dashboard), column is added, but when I log o...
See more...
Hello, I have problem with Analyst queue: I am not able to add column to Analyst Queue in GUI. When I do this (using the cogwheel icon on Analyst queue dashboard), column is added, but when I log off and log on again, previously added column disseapers and Analyst queue is in default setting again. I expected that new config of Analyst Queue will be saved in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/log_review.conf, but I found that this file remains untouched when I add new column. Is there any way how to add new column to the AQ permanently? Now I am aware only about one way - manually edit $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/log_review.conf file (this works), but this is not usable for analysts who would like to customize AQ GUI and have not privilege to edit config files. Environment is Search Head cluster (3 nodes) with Splunk Enterprise 9.3.0 and Enterprise Security 8.1.0. Any hint would be highly appreciated. Best regards Lukas Mecir