Add a new queue

Add a new team-based queue to organize findings and investigations into a focused workspace that reflects a certain team's responsibilities. Only admins can add a new queue.
  1. In Splunk Enterprise Security, select Configure and then Findings and investigations.
  2. Select Team queues.
  3. Select + Team-based queue.
  4. Enter a name for the queue. The name of each queue must be unique.
  5. (Optional) Enter a description for the queue.
  6. (Optional) In the Settings section of the dialog box, select the checkbox to allow analysts to move items to other queues.
    Checking this option grants analysts permission to move findings and investigations from one team queue to another. You can edit this setting at any time.
  7. Set the Retention period of archived items for this queue.
    The retention period determines how long Splunk Enterprise Security keeps data after it has been archived. After the retention period has passed, the data is deleted and can't be recovered. For more details, see Edit the retention period for a team queue.
  8. Select Save.
Assign role-based access to a queue