Troubleshoot the display of findings or investigations in the analyst queue

Issue

Unable to edit findings or investigations successfully on the Analyst queue of the Mission Control page.

Following are some of the causes that prevents an analyst from editing findings and investigations on the analyst queue:

The analyst might not have permission to make status transitions.
The analyst might be attempting to edit a finding that is visible but cannot be edited successfully due to the limited number of events that can be retrieved from a bucket. If a detection creates a high number of findings in a short period of time, such as 1000 in less than five minutes, the Analyst queue in the Mission Control page can hit the max_events_per_bucket limit when attempting to retrieve findings for display from the finding index.

Managing the status transitions for findings. For more information on status transitions, see Manage notable event statuses.
Use a smaller time range when reviewing findings on the Analyst queue in the Mission Control page to reduce the number of events that must be retrieved from a bucket. For example, a time range that reduces the number of events to less than 1000.
Modify the max_events_per_bucket setting in the limits.conf configuration file, which has a default value of 1000. A search that produces less than 1000 events cannot produce this error because you can modify the maximum number of events that can be returned from a bucket.
Modifying this setting can negatively affect the performance of your Splunk software deployment. If you are running Splunk Enterprise Security on Splunk Cloud Platform, file a support ticket for assistance with this setting.

Follow these steps to modify the max_events_per_bucket setting in the limits.conf configuration file:
1. Open limits.conf for editing. See How to edit a configuration file in the Splunk Enterprise Admin Manual.
2. Set max_events_per_bucket to a number above 1000.
3. Save.
See limits.conf for more about the max_events_per_bucket setting.