Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security
- Mitre Attack Related Searches
[Mitre - Technique Lookup]
[Mitre - Tactic Lookup]
[Mitre - Get TechniqueIds For Risk Object]
- Threat Topology Searches
[Incident Review - Threat Topology - Current Threat Object]
[Incident Review - Threat Topology - Threat Topology Search]
Follow these steps to edit the saved searches that run on Splunk Enterprise Security:
- Identify the saved searches by navigating to the Splunk Search and Reporting app: Search > Search History.
This displays a list of all recent searches, including saved searches.
Alternatively, you can open the developer tools and navigate to the Network tab. Search for the SPL to the Jobs endpoint. Click on the Request parameter to view the Payload tab and identify the saved search that was run on Splunk Enterprise Security.
- Navigate to the saved search: Configure > Content Management > Searches, Reports, and Alerts.
- Edit the saved search by click on the saved search: Edit Search > Search.Note: If you don't have edit permissions, you must contact the Splunk administrator who created the saved search.
Troubleshoot performance issues due to large KV Store collections
Troubleshoot messages about default indexes searched by the admin role
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.1, 7.2.0