Create conditions for a queue

Add a new queue
Create conditions to control which findings go to your selected queue.
  1. In Splunk Enterprise Security, select Configure and then Findings and investigations.
  2. Select Team queues.
  3. Locate the queue you want to assign visibility for, and then expand it using the expand icon ( ).
  4. Select the Conditions tab.
  5. Select + Conditions.
  6. Use the drop-down lists to create logic that determines which findings belong in that queue. For example, if you want all critical findings to belong in the queue, set the Urgency field to contains any of and then enter Critical for the value.
  7. (Optional) Add or remove rows using the + Row button and the remove icon ( ).
    Note: Operators must be the same for all fields in a condition. You must also use the same operator between each additional condition. To switch between "and" and "or", change the operator for the first field or condition.
  8. Select Save.
Manage queue priority