There are two ways to prevent those messages: 1) create the missing index; 2) disable the input(s) sending to the missing index. Make sure to create the indexes on the indexer, not just on the search head. ... View more

Hello @IWilsonR, I found a question on SplunkAnswers which is very similar to yours: Account Creation And Deletion within a given time. Try this search using the transaction command: index=Linux_os eventtype="linux_sec" | transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2 | where duration<24*3600 This should work too: index=Linux_os eventtype="linux_sec" | transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2 maxspan=24h ... View more

Have you looked at the Audit->Incident Review Audit dashboard? This shows reviewed/closed ones. You can look at the underlying searches and update as needed. You can also look at http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA to view diff macros and create searches to match your need e.g | incident_review | rename status_label AS status | ... View more