Configure how events are resolved
Set any tags needed before an event can be marked as resolved. Setting a custom field as a required tag updates the settings for the custom field.
To configure how an event is resolved, follow these steps:
- From the Main Menu, select Administration.
- Select Event Settings > Resolution.
- Check the Require the Following Tags on Resolve checkbox.
- Type the names of any tags needed before an event or container can be marked as resolved. Tags can be removed by clicking the x next to the tag name.
- Set the action Splunk Phantom takes when artifacts are added to a resolved event. Select an action from the drop-down list that matches your business process.
- Select Keep Event Resolved to keep events resolved when new artifacts are added.
- Select Reopen Event to reopen any event that has a new artifact added.
- Select Duplicate Event to create a duplicate event, and then add the new artifact to the new event.
- Click Save Changes.
Configure the response times for service level agreements | Configure labels to apply to containers |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!