Splunk® Enterprise Security

Administer Splunk Enterprise Security

Troubleshoot search results

You might get unexpected search results if you inadvertently use index time as the Time Tange in your correlation search.

Cause Solution
Unexpected search results from the correlation search Follow these steps to check whether the search is using index time:
  1. Check the savedsearches.conf configuration file to see if the search is using indextime since configuration file settings often change.
  2. Check the fields in the notable event and risk event. If any of the following three fields exist, it indicates that the time range setting was index time when the correlation search was run.
    • use_indextime;
    • info_min_indextime;
    • info_max_indextime
  3. Custom searches might also inadvertently use index time. Check the SPL of the custom search to verify the Time Range used.
  4. Check the scheduler log and the search execution audit logs to see if index time is used in the saved search or drill-down search. Sometimes, if the parent correlation search is using Index time, the underlying drill-down search might also use index time.
Last modified on 14 December, 2023
Troubleshoot missing notable events in Splunk Enterprise Security   Turn on debug logging in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters