Investigation Workflow automatically creates investigations for alert events. You can also create a freeform investigation from scratch.
To create a freeform investigation
- Open the Burndown tab by clicking New in the Sump web app top menu bar, and selecting Burndown from the list of tab options.
- On the Burndown tab, click + Investigation.
- The New Investigation popup appears.
- Note. (Optional) Enter a short note that will be associated with the initial pivot.
- Start. Enter the start date for the investigation.
- End. Enter the end date for the investigation.
- Link Values. Enter one or more link values. As you enter the value, Investigation Workflow will suggest a link type. Some link types, like user and host names, are ambiguous. If the wrong link type is shown, select the correct type from the pulldown. You must enter at least one link value. For information about link value types, see Link Value Types.
- Severity. (Optional) Enter the severity of the investigation.
- Type. You can enter any text desired.
- Description. (Optional) Enter a description of the investigation.
- Chain. (Optional) If you choose this option, Investigation Workflow will run secondary queries on all the link values in the factors returned by your primary query. For information about chained queries, see Queries are chained by default.
Tags recommended by the template: article:topic