Splunk® Phantom (Legacy)

Administer Splunk Phantom

Configure how events are resolved

Set any tags needed before an event can be marked as resolved. Setting a custom field as a required tag updates the settings for the custom field.

To configure how an event is resolved, follow these steps:

  1. From the Main Menu, select Administration.
  2. Select Event Settings > Resolution.
  3. Check the Require the Following Tags on Resolve checkbox.
  4. Type the names of any tags needed before an event or container can be marked as resolved. Tags can be removed by clicking the x next to the tag name.
  5. Set the action Splunk Phantom takes when artifacts are added to a resolved event. Select an action from the drop-down list that matches your business process.
    • Select Keep Event Resolved to keep events resolved when new artifacts are added.
    • Select Reopen Event to reopen any event that has a new artifact added.
    • Select Duplicate Event to create a duplicate event, and then add the new artifact to the new event.
  6. Click Save Changes.
Last modified on 27 January, 2020
Configure the response times for service level agreements   Configure labels to apply to containers

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters