Manage saved views to display findings and investigations in Splunk Enterprise Security
Create and manage saved views of filtered findings and investigations to accelerate the triage process during an investigation workflow. Saving specific views of filters and columns on the Mission Control page lets you view the values of the relevant fields for specific investigations and triage them appropriately.
As an analyst, you can configure saved views based on the specific findings or investigations that you want to see. Managing saved views, sharing saved views, and switching between saved views helps to share responsibilities and triage findings and investigations faster. For example, a cyber operations manager can create default saved views for various SOC teams in Splunk Enterprise Security. Saving specific default views provides a starting point for analysts to triage findings and investigations and can help them identify what to look for when they have not defined their own customized saved views.
Create saved views
Reuse the groups of filtered findings during an investigation by saving views. You can reuse saved views or make edits to existing views based on specific fields. Additionally, you can also save a view as a default.
- In Splunk Enterprise Security, select the Mission Control page.
- Filter the analyst queue by your desired fields. For example, use the buttons above the analyst queue to select an item type, such as Findings, that you want to filter by. Then select a column and a value, such as Urgency and then Critical.
- Customize the table settings by selecting the settings icon and then selecting Apply. The table settings are stored in the saved view based on the selected fields and the order in which they are displayed on the Mission Control page.
- Select Save.
- In the Save view dialog box, go to View configuration and verify the fields that you want to use to group the findings. For example, Urgency: Critical.
- In View Name, enter a name for the view.
- (Optional) Check Set as default if you want to add it as a default view.
- (Optional) Check Share with all Enterprise Security users to share the view with other users.
- (Optional) See all existing views by selecting Existing in the Save view dialog box.
- Select Save.
Edit access to saved views
As a Splunk Enterprise Security administrator, you can manage access to saved views for users and analysts. By changing access controls for users and analysts, you can control how different users interact with findings and investigations in the analyst queue on the Mission Control page.
You must have the edit_filter_sets capability to create, edit, and see saved views. By default, this capability is turned on for the ess_analyst role and turned off for the ess_user role. 
Follow these steps to edit access controls for saved views:
- In Splunk Enterprise Security, select Configure then All configurations and then Roles and capabilities.
- Select or deselect the check boxes for Edit saved views to add or remove the edit_filter_setscapability to the appropriate roles.
- Select Save. Note: If you edit capabilities, the changes might take a few minutes to take effect.
Saved views can be either public or private. Public saved views are viewable to any user with the edit_filter_sets capability, while private saved views are viewable only to the person who created the saved view. Even administrators don't have access to a private saved view created by another user. 
Any user with the edit_filter_sets capability can do the following:
- Create a public or private saved view
- View, edit, delete, and share all public saved views
- View, edit, delete, and share a private saved view, but only if they created that saved view
- Set a public saved view to the default view
- Set a private saved view to their default view, but only if they created that saved view
Manage saved views
As an administrator or an analyst, you can edit, delete, and switch between saved views to make the triage process easier during an investigation. Delete a saved view if the view is no longer useful and you don't plan to use the view or share it with other analysts.
Follow these steps to manage saved views:
- In Splunk Enterprise Security, select the Mission Control page.
- Select the arrow icon ( ) to open the left-side panel on the analyst queue. 
- To edit or delete a saved view, select the more icon ( ). 
- Select Manage saved views and identify the saved view that you want to edit or delete.
- To edit a saved view, select the pencil icon next to the saved view you want to edit, and then select Save to apply your changes.
- To delete a saved view, select the trash icon to delete a saved view.
- Select Close.
Select an administrator specified view to view findings and investigations
As a Splunk Enterprise Security administrator, you can save a specific view for analysts and identify that saved view as their default view. This administrator selected view is in addition to a default saved view, which is a global view and is universal for all analysts. The administrator selected view can also be shared between multiple analysts.
Follow these steps to select the administrator specified view:
- In Splunk Enterprise Security, select the Mission Control page.
- Select the arrow icon ( ) to open the left-side panel on the analyst queue. 
- In the Saved views section, select the Admin Selected Saved View. Note: If the admin marked the view as a default view, you can find the Admin Selected Saved View in the Default views section.
Share or un-share a saved view
See also
For more information on analyst workflows and assigning capabilities to a role in Splunk Enterprise Security, see the product documentation:
- Manage analyst workflows using the analyst queue in Splunk Enterprise Security
- Configure the settings for the analyst queue in Splunk Enterprise Security
- Configure users and roles in Splunk Enterprise Security in Install and Upgrade Splunk Enterprise Security manual