Splunk® Enterprise Security

Administer Splunk Enterprise Security

Sort and filter findings and investigations for triage in Splunk Enterprise Security

Sort and filter findings and investigations in the Analyst queue on the Mission Control page to identify and group specific findings and investigations together and accelerate the triage process.

Sorting and filtering findings and investigations lets you drill down on specific and detailed information and helps to categorize, track, and assign findings to analysts based on specific criteria to identify potential threats faster.

For example, the ability to filter findings and investigations using the Status field removes the need to review unrelated statuses and prevents statuses from being duplicated. You can select In-progress status from the available statuses such as Unassigned, New, In-progress, Resolved, or Closed to display only the findings or investigations that are currently in progress.

Alternatively, you can enter a specific filter criterion and add it to the list of filter options. For example, you can add the ID, labels, and corresponding fields in the Analyst queue settings to filter findings and investigations.

The following screenshot shows some of the sort and filter options for findings and investigations in the Analyst queue.

Sort filters for findings and investigations in the Analyst queue.

Sort the findings and investigations

Follow these steps to sort the findings and investigations in Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, go to the Mission Control page.
  2. In the Analyst queue, select the down arrow next to the field column heading of the finding or investigation.
  3. Select A to Z or Z to A to sort the column in ascending or descending order on the Analyst queue.

Filter the findings and investigations

Follow these steps to filter the findings and investigations in Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, go to the Mission Control page.
  2. In the Analyst queue, select the down arrow next to a specific field column such as Status of the finding or investigation.
  3. Select In-progress or New to filter the findings or investigations that are either in progress or are newly created in the Analyst queue.

See also

For more information on the analyst workflow in Splunk Enterprise Security, see the product documentation:

Last modified on 14 June, 2024
Configure the settings for the analyst queue in Splunk Enterprise Security   Manage saved views to display findings and investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters