Have you tried following the documentation here? You don't mention if you're in a distributed/standalone or clustered env., but did you try to manually upgrade your KVStore?  Did you check your migration logs or mongod log?  Any errors? ... View more

Just to add to my previous post, beware of using the UI to update the filter_sets KV store, for example through the Splunk App for Lookup File Editing.  Using that method is likely to save the JSON filter content as an escaped string, which will result in the Incident Review page not loading anymore (due to JS errors - which can be seen in the Browser JS Console). Instead use the REST API endpoints directly (via curl or a script).  Here an example that worked for me: Copy the JSON of a Saved Filter and adapt it if needed Insert the new Saved Filter into the filter_sets collection under the target user's context (named "test" in my example): curl -k -u admin:changeme \ https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets \ -H 'Content-Type: application/json' \ -d '{"filters": {"type": {"label": "Type", "values": [] }, "urgency": {"label": "Urgency", "values": [] }, "status": {"label": "Status", "values": ["0", "1", "2", "3"] }, "owner": {"label": "Owner", "values": [] }, "domain": {"label": "Domain", "values": [] }, "search": {"label": "Search", "values": ""}, "source": {"label": "Source", "values": [] }, "tag": {"label": "Tags", "values": [] }, "earliest": {"label": "Earliest", "values": "-24h@h"}, "latest": {"label": "Latest", "values": "now"}, "xref": {"label": "Associations", "values": [] } }, "name": "Open Incidents", "_user": "admin"}' Re-read the newly added KV Store entry: curl -k -u admin:changeme \ https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets Make sure the data returned is properly formatted JSON (as opposed to a escaped string) and note the _key value that was assigned. (Optionally) If you would like to make the new Saved Filter the default for the target user, add a defaultFilterSet entry with the _key value taken above to the user's user-prefs.conf file (under $SPLUNK_HOME/etc/users/test/user-prefs/local/user-prefs.conf).  For example: [general] tz = America/New_York search_use_advanced_editor = true search_line_numbers = false search_auto_format = false defaultFilterSet = 64497a238e2e60128c6be2e3 Have the target log out and log back in again, and you should be all set. ... View more

See the answer to your other question here:  https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-does-the-incident-review-saved-filters-get-saved-to/m-p/639516/highlight/false#M11441   ... View more

Hi @cmeisch , This is stored in a KV store collection named filter_sets in the SA-ThreatIntelligence application under the relevant user's context. For example, if I have created a saved filter named Open incidents as the admin user as follows: ... Splunk will look at this REST endpoint: /en-US/splunkd/__raw/servicesNS/admin/SA-ThreatIntelligence/storage/collections/data/filter_sets/61e0d46bfce79543a15dd844 Which contains:   ... View more

Old post, but just wanted to mention I'm also still seeing this (Splunk 8.2.6 to Splunk 9.0.0).  The message implies this might cause a conflict/issue... we might want to either improve it or document what needs to be corrected/checked from the user's part? ... View more

@fedejko You should be able to join the two sets together, like this, for example (reusing your two queries): | rest /services/saved/searches | search title="*Rule" action.notable=1 | fields title | eval has_triggered_notables = "false" | join type=outer title [ search index=notable search_name="*Rule" orig_action_name=notable | stats count by search_name | fields - count | rename search_name as title | eval has_triggered_notables = "true" ] That adds a field has_triggered_notables which will indicate if a rule has triggered notable and you can then filter out the results to your liking, for example, to show only the rules which did trigger notables: | where has_triggered_notables = "true" ... View more

Splunk> NOC your SOCs off! ... View more

Could you please try using the Splunk management port (default: 8089) as in the example here? All the REST API endpoints are exposed over that port and not the default Splunk UI Web port (8000). For example: // Create a Service instance var service = new Service(Scheme.Https, "localhost", 8089, new Namespace(user: "nobody", app: "search")) // Log in await service.LoginAsync("admin", "yourpassword"); ... View more

Good things come to those who Splunk ... View more

Splunk> I do not fear computers. I fear the lack of Splunk. ... View more

Splunk> The Eye of Sauron ... View more

You could use eval tokens: https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting For example: <eval token="new_token">replace('mac_address_token', ":", "")</eval> ... View more