Hi Splunk,
We are running into an issue in Splunk Enterprise Security -> Incident Review. The issue is that When we run a search now within Incident Review, it is returning no results (events). It previously did. When I inspect the job I see this error:
The following messages were returned by the search subsystem:
INFO: Lookup table 'risk_correlation_lookup' is empty.
Would you know why all of sudden it is empty. Last time I checked I remember having about 1300 rows in the risk_correlation.csv.
Thank you
↧