Just to add to my previous post, beware of using the UI to update the filter_sets KV store, for example through the Splunk App for Lookup File Editing. Using that method is likely to save the JSON filter content as an escaped string, which will result in the Incident Review page not loading anymore (due to JS errors - which can be seen in the Browser JS Console). Instead use the REST API endpoints directly (via curl or a script). Here an example that worked for me: Copy the JSON of a Saved Filter and adapt it if needed Insert the new Saved Filter into the filter_sets collection under the target user's context (named "test" in my example): curl -k -u admin:changeme \ https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets \ -H 'Content-Type: application/json' \ -d '{"filters": {"type": {"label": "Type", "values": [] }, "urgency": {"label": "Urgency", "values": [] }, "status": {"label": "Status", "values": ["0", "1", "2", "3"] }, "owner": {"label": "Owner", "values": [] }, "domain": {"label": "Domain", "values": [] }, "search": {"label": "Search", "values": ""}, "source": {"label": "Source", "values": [] }, "tag": {"label": "Tags", "values": [] }, "earliest": {"label": "Earliest", "values": "-24h@h"}, "latest": {"label": "Latest", "values": "now"}, "xref": {"label": "Associations", "values": [] } }, "name": "Open Incidents", "_user": "admin"}' Re-read the newly added KV Store entry: curl -k -u admin:changeme \ https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets Make sure the data returned is properly formatted JSON (as opposed to a escaped string) and note the _key value that was assigned. (Optionally) If you would like to make the new Saved Filter the default for the target user, add a defaultFilterSet entry with the _key value taken above to the user's user-prefs.conf file (under $SPLUNK_HOME/etc/users/test/user-prefs/local/user-prefs.conf). For example: [general] tz = America/New_York search_use_advanced_editor = true search_line_numbers = false search_auto_format = false defaultFilterSet = 64497a238e2e60128c6be2e3 Have the target log out and log back in again, and you should be all set.
... View more