Troubleshoot missing notable events in Splunk Enterprise Security
If you have a Correlation Search that isn't generating notable events when you think it should, you can check the following potential causes and solutions.
Cause | Solution |
---|---|
The notable events are being suppressed. | Check to see if the notable index contains notable events. Search in Splunk Web against the notable index to determine if the notable event exists but is being excluded from Incident Review:
|
The entire correlation search doesn't match, but part of it does. | Run the correlation search manually over the given timeframe and see if it matches the events. If it doesn't match, remove parts of the search until you isolate the part of the search that doesn't match. |
The notable alert action isn't triggered. | Check the notable alert action logs. These logs indicate if the notable alert action is triggered to make a notable event. Search in Splunk Web to view these logs:
|
Splunk Enterprise cannot parse the stash file. | Verify that the search output doesn't include any unnecessary output. Make sure that the correlation search only outputs the fields you really need, and that the fields don't include extra content such as XML or excessive amounts of text. Extra content can make it difficult for Splunk to parse the stash file. If the stash file can't be parsed, then your notable events may not be generated correctly. |
The correlation search schedule is incorrect, not running, or suppressed. | Check the search scheduler logs. Search in Splunk Web to view the scheduler logs:
|
If you are using a distributed architecture, you may have missed creating the notable index on your cluster. | See Configure and deploy indexes in the Installation and Upgrade Manual. |
See also
Troubleshoot lookups in Splunk Enterprise Security | Machine Learning Toolkit Overview in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!