https://community.splunk.com/t5/Splunk-Enterprise/How-to-specify-Enterprise-Security-sourcetypes/m-p/593781#M12236 <P>What is the name of the Correlational Search that is having this issue?</P><P>If you are sure that the index and sourcetype has the data it requires, is it possible that you are missing a Technical Addon that maps the data into a CIM format?</P> Thu, 14 Apr 2022 12:56:58 GMT Stefanie 2022-04-14T12:56:58Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-specify-Enterprise-Security-sourcetypes/m-p/593679#M12229 <P>I have correlation searches in ES that are not generating notable events as they should be. When I click on content management and find a search that isn't working, it shows a green check mark next to the index but a red exclamation mark next to the sourcetype, saying that there have been no events in that sourcetype for the last 24 hours.&nbsp;<BR /><BR />I want to know if this is the cause of my issue, and what I can do to troubleshoot it. I see there are events in the sourcetype/index specified, and they are visible in the search box of the ES app.&nbsp;</P> Thu, 14 Apr 2022 15:11:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-specify-Enterprise-Security-sourcetypes/m-p/593679#M12229 TheBravoSierra 2022-04-14T15:11:13Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-specify-Enterprise-Security-sourcetypes/m-p/593781#M12236 <P>What is the name of the Correlational Search that is having this issue?</P><P>If you are sure that the index and sourcetype has the data it requires, is it possible that you are missing a Technical Addon that maps the data into a CIM format?</P> Thu, 14 Apr 2022 12:56:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-specify-Enterprise-Security-sourcetypes/m-p/593781#M12236 Stefanie 2022-04-14T12:56:58Z