Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot missing notable events in Splunk Enterprise Security

If you have a Correlation Search that isn't generating notable events when you think it should, you can check the following potential causes and solutions.

Cause Solution
The notable events are being suppressed. Check to see if the notable index contains notable events. Search in Splunk Web against the notable index to determine if the notable event exists but is being excluded from Incident Review:

index=notable

Suppressions filter notable events from appearing in Incident Review. If you see your notable event in the index, then make sure that no suppressions are preventing the notable event from appearing in Incident Review.
The entire correlation search doesn't match, but part of it does. Run the correlation search manually over the given timeframe and see if it matches the events. If it doesn't match, remove parts of the search until you isolate the part of the search that doesn't match.
The notable alert action isn't triggered. Check the notable alert action logs. These logs indicate if the notable alert action is triggered to make a notable event. Search in Splunk Web to view these logs:

index=_internal sourcetype=notable_modalert

Splunk Enterprise cannot parse the stash file. Verify that the search output doesn't include any unnecessary output. Make sure that the correlation search only outputs the fields you really need, and that the fields don't include extra content such as XML or excessive amounts of text. Extra content can make it difficult for Splunk to parse the stash file. If the stash file can't be parsed, then your notable events may not be generated correctly.
The correlation search schedule is incorrect, not running, or suppressed. Check the search scheduler logs. Search in Splunk Web to view the scheduler logs:

index=_internal sourcetype=scheduler

Look for the following:
  • Make sure that the search is running during the time-frame that you expect events
  • See if suppressed indicates that events are suppressed
  • See if result_count indicates that notable events are created, for example, is greater than one
  • Check the status field to make sure that the search is running successfully
If you are using a distributed architecture, you may have missed creating the notable index on your cluster. See Configure and deploy indexes in the Installation and Upgrade Manual.

See also

Last modified on 25 February, 2021
PREVIOUS
Troubleshoot lookups in Splunk Enterprise Security
  NEXT
Enable Debug Logging in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters