Troubleshoot the display of findings or investigations in the analyst queue
Issue
Unable to edit findings or investigations successfully on the Analyst queue of the Mission Control page.
Causes
Following are some of the causes that prevents an analyst from editing findings and investigations on the analyst queue:
- The analyst might not have permission to make status transitions.
- The analyst might be attempting to edit a finding that is visible but cannot be edited successfully due to the limited number of events that can be retrieved from a bucket. If a detection creates a high number of findings in a short period of time, such as 1000 in less than five minutes, the Analyst queue in the Mission Control page can hit the
max_events_per_bucket
limit when attempting to retrieve findings for display from thefinding
index.
Solutions
- Managing the status transitions for findings. For more information on status transitions, see Manage notable event statuses.
- Use a smaller time range when reviewing findings on the Analyst queue in the Mission Control page to reduce the number of events that must be retrieved from a bucket. For example, a time range that reduces the number of events to less than 1000.
- Modify the
max_events_per_bucket
setting in thelimits.conf
configuration file, which has a default value of 1000. A search that produces less than 1000 events cannot produce this error because you can modify the maximum number of events that can be returned from a bucket.Modifying this setting can negatively affect the performance of your Splunk software deployment. If you are running Splunk Enterprise Security on Splunk Cloud Platform, file a support ticket for assistance with this setting.
Follow these steps to modify the
max_events_per_bucket
setting in thelimits.conf
configuration file:- Open
limits.conf
for editing. See How to edit a configuration file in the Splunk Enterprise Admin Manual. - Set
max_events_per_bucket
to a number above 1000. - Save.
See limits.conf for more about the
max_events_per_bucket
setting. - Open
See also
For more information on roles and status transitions, see the product documentation:
Troubleshoot script errors in Splunk Enterprise Security | Troubleshoot detections with special characters |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!