Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Group incidents by creating parent-child relationships in Splunk Mission Control

Sometimes multiple incidents are part of one security incident with the same root cause. You can investigate these related incidents, compare their data, and update some of their fields simultaneously by creating a parent-child relationship between the incidents. A parent-child incident group is a hierarchy where one primary incident, or the parent incident, has one or more related secondary incidents, or child incidents. Grouping incidents can help reduce the time you spend updating each incident investigation and also help you resolve incidents faster. You can add up to 100 child incidents to a parent incident.

Adding more than 50 child incidents to a parent incident can impact the performance of the parent incident investigation pages. Data such as summary fields and risk events might take several seconds to appear.

Add child incidents to a parent incident

You can group incidents together from the incident review page of Splunk Mission Control, or you can do so while investigating an incident.

To add one or more child incidents to a parent incident from the incident review page, complete the following steps:

  1. Navigate to the Incident review page in Splunk Mission Control.
  2. Select one or more incidents to add to another incident. The incidents you select from the incident review page become the child incidents.
    1. To select multiple incidents, check their respective check boxes.
    2. To select a single incident, hover over the incident and then select the more icon ( more icon ).

      You can only select incidents with no existing parent-child relationship to add to another incident.

  3. Select Add to incident.
  4. Select a parent incident to assign to the child incidents you already selected. For the parent incident, you can choose to either Create new incident or Add to existing incident.
  5. If you want to create a new parent incident, give it a name and then set the fields using the drop-down lists.
  6. If you want to select an existing parent incident, use the drop-down list to choose an incident. You can browse your recent incidents or search for an incident by name, incident ID, or reference ID.
  7. (Optional) Select whether or not you want the owner, status, urgency, sensitivity, and disposition fields for child incidents to mirror that of their parent incident. For example, if you select this option, changing the status of a parent incident from New to Pending automatically makes the same change to the status of all related child incidents.
  8. Select Save.

To add the incident you're investigating to a parent incident, complete the following steps:

  1. From the investigation of a particular incident, select the more icon ().
  2. Select Add to incident. The incident you're investigating becomes the child incident.

    You can only add an incident to another one if both incidents have no existing parent-child relationship.

  3. Select a parent incident to assign to the child incident. For the parent incident, you can choose to either Create new incident or Add to existing incident.
  4. If you want to create a new parent incident, give it a name and then set the fields using the drop-down lists.
  5. If you want to select an existing parent incident, use the drop-down list to choose an incident. You can browse your recent incidents or search for an incident by name, incident ID, or reference ID.
  6. (Optional) Select whether or not you want the owner, status, urgency, sensitivity, and disposition fields for the child incident to mirror that of their parent incident. For example, if you select this option, changing the status of a parent incident from New to Pending automatically makes the same change to the status of all related child incidents.

After you add one or more child incidents to a parent incident, you can see the relationship between the incidents in the incident review table. On the Incident review page, expand an incident with a parent icon ( parent icon ) to see its related child incidents denoted by the child icon ( child icon ).

Review details about incidents in a parent-child relationship

If you're investigating an incident and you want to open the investigation of a related parent or child incident, complete the following steps:

  1. Select the Overview tab
  2. Expand the Parent incident or Child incident section. An incident investigation has one or the other depending on which incident you're viewing.
  3. Select the incident you want to investigate.
Last modified on 18 October, 2023
PREVIOUS
Create an incident in Splunk Mission Control 		  NEXT
Investigate an incident in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters