Question: Correlation searches are working and notable events are created, but the scorecards are not active.
Answer: Two possibilities exist if notable events are created but do not show up on scorecards within the Splunk App for PCI Compliance.
1. Notable events are being suppressed by a suppression rule.
To troubleshoot this possibility, go to the Suppression Manager and/or the Suppression Audit view to determine if suppressions are actively suppressing notable events. You can also run these searches to determine if notable events are being suppressed.
`notable` | search NOT `suppression`
Validate that your suppression rules are accurate and properly enabled/disabled. This might be the way that you want your suppression rules set up.
2. Notable events are not linked to a governance and control value in
governance.conf (this would only affect custom PCI correlation searches). To troubleshoot this possibility, perform these searches to determine if notable events are being filtered due to lack of governance linkage:
`notable` versus <pre> `notable` | search (`get_governance(pci)`)
To fix this issue, add
governance.conf</pre> links to notable events per <code>governance.conf.spec or see "Configure correlation searches" in this manual.
You can install these Cisco add-ons on the search head with the Splunk App for PCI Compliance and partially disable them to prevent load.
- To disable the Cisco searches, go to Manager > Searches and Reports, select the app name and disable all searches.
- To disable their dashboards, go to Manager > User Interface > Views, select the app name and disable all views.
This applies to these Cisco add-ons:
Splunk for Cisco IPS http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IPS
Splunk for Cisco Firewalls http://splunk-base.splunk.com/apps/Splunk+for+Cisco+Firewalls
Splunk for Cisco Client Security Agent http://splunk-base.splunk.com/apps/Splunk+for+Cisco+Client+Security+Agent
Splunk for Cisco IronPort Email Security Appliance http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IronPort+Email+Security+Appliance
Splunk for Cisco IronPort Web Security Appliance http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IronPort+Web+Security+Appliance
Splunk for Cisco MARS http://splunk-base.splunk.com/apps/Splunk+for+Cisco+MARS
Troubleshoot your deployment
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1