I don't think the sort change is possible using the standard "Incident Review" Dashboard You could make a search that displays what you are looking for a separate dashboard or you could add a dropdown to the "Incident Review" dropdown that would only show open critical incidents or something of that nature. Here is a link that would help. http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu ... View more

I would recommend doing a field extraction using regex to capture the i,j,k,o,p and q into a field named code. Then in your search use the case command to transform the letter code to the word. | eval Status_Code=case(code==i,"Upload",code==j,"Errored",code==k,"Aborted" etc..... ) ... View more

'es_notable_events' works off an inputlookup that I don't think you can get data further back than the last 24 hours. Try This search it seems to work for me. `notable' | search NOT `suppression' | search (status="*") (owner="*") (security_domain="*") | timechart minspan=1h count by urgency The 'notable' macro works of the notable index so you should get the data your looking for. ... View more

What is the sourcetype for your logs? Are any of the fields being extracted when you search on the sourcetype? ... View more

You wrote "but... to clear my meaning, my exact question is how it can understand these priority and severity? for example there is a medium risk attack, and splunk understand it as a medium...right? how they do it exactly? or maybe it is critical but they said high, we can change them manually! so there must be something, or some code behind it! to define them as a priority and severity!" Splunk assigns ugency by mapping the assigned severity to the assigned priority of the asset for the various correlation searches. It is important to check the chart given in the answer above by koshyk . I found most of our assets were classified as unknown therefore lowering the urgency of the alert. What we did to fix this situation was to change the columns so that ugency matched the assigned severity. This may not have been the best solution but it solved our issue. We were then easily able to map the urgency on the incident review dashboard to the expected severity in the correlation search as it no longer considered the asset in making the determination. Hope this helps. ... View more

After review I think I agree. Since I'm new I wanted to check and see if anyone had any idea's. ... View more

I have quadruple checked spelling and case. That is not it. I'll keep searching. Thanks for the advice. ... View more

Yes, I would see where that should work but it is not. Inputlookup seems to find the events but lookup does not. Also as mentioned what is really strange is another lookup works fine. mylookup2 against logfile2. The only difference is mylookup2.csv was added through the UI and mylookup.csv was populated from a search. I have ensured permissions on the lookup table file and definition are the same for mylookup and mylookup2. Not sure what else to do? Thanks for the feedback. ... View more