Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshoot missing notable events in Splunk Enterprise Security

If you have a Correlation Search that isn't generating notable events when you think it should, you can check the following potential causes and solutions.

Cause Solution
The notable events are being suppressed. Check to see if the notable index contains notable events. Search in Splunk Web against the notable index to determine if the notable event exists but is being excluded from Incident Review:

index=notable

Suppressions filter notable events from appearing in Incident Review. If you see your notable event in the index, then make sure that no suppressions are preventing the notable event from appearing in Incident Review.
The entire correlation search doesn't match, but part of it does. Run the correlation search manually over the given timeframe and see if it matches the events. If it doesn't match, remove parts of the search until you isolate the part of the search that doesn't match.
The notable alert action isn't triggered. Check the notable alert action logs. These logs indicate if the notable alert action is triggered to make a notable event. Search in Splunk Web to view these logs:

index=_internal sourcetype=notable_modalert

Splunk Enterprise cannot parse the stash file. Verify that the search output doesn't include any unnecessary output. Make sure that the correlation search only outputs the fields you really need, and that the fields don't include extra content such as XML or excessive amounts of text. Extra content can make it difficult for Splunk to parse the stash file. If the stash file can't be parsed, then your notable events may not be generated correctly.
The correlation search schedule is incorrect, not running, or suppressed. Check the search scheduler logs. Search in Splunk Web to view the scheduler logs:

index=_internal sourcetype=scheduler

Look for the following:
  • Make sure that the search is running during the time-frame that you expect events
  • See if suppressed indicates that events are suppressed
  • See if result_count indicates that notable events are created, for example, is greater than one
  • Check the status field to make sure that the search is running successfully
If you are using a distributed architecture, you may have missed creating the notable index on your cluster. See Configure and deploy indexes in the Installation and Upgrade Manual.

See also

Last modified on 22 November, 2021
Troubleshoot dashboards in Splunk Enterprise Security   How Splunk Enterprise Security uses extreme search

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters