topic Splunk CIM-Compliance related questions in Splunk Enterprise

Splunk CIM-Compliance related questions

ND1 — Mon, 09 Jun 2025 18:08:29 GMT

Why is my Correlation Search not showing up in Incident Review?”

“How do I determine why a Correlation Search isn’t creating a notable event?”

Re: Splunk CIM-Compliance related questions

sainag_splunk — Mon, 09 Jun 2025 19:03:01 GMT

@ND1 Most probably when an incident is not showing up, it's either suppression blocking the events or the notable action not being properly configured.

1. Check if notable events are being created:

index=notable earliest=-7d | search source="*your_correlation_search_name*"

2. Check suppression settings:

| rest /services/saved/searches | search title="*your_correlation_search_name*" | table title, alert.suppress, alert.suppress.period

Try below:

If alert.suppress=1, try disabling suppression temporarily in ES > Content Management

Edit your correlation search and ensure "Notable" action is checked and saved

Test your correlation search manually first to confirm it returns results

If this Helps, Please Upvote.

Re: Splunk CIM-Compliance related questions

tej57 — Thu, 19 Jun 2025 14:16:55 GMT

Hey @ND1,

Whatever @sainag_splunk mentioned is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not.

Thanks,
Tejas.

Re: Splunk CIM-Compliance related questions

moorte — Thu, 19 Jun 2025 17:18:02 GMT

The answers already given are spot on.

When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate that it actually returns results. Do a copy and paste from the search query in the correlation search to an SPL window to validate that you don't actually mistype things.

If you get results from the query, than you want to validate that adaptive response is set (in ES versions before Splunk 😎 to make a notable.

In ES 8 you will want to make sure that event finding option is selected The other type of finding goes into a risk score and will not actually create a finding for you in analyst queue.

If none of that works, I tend to copy the correlation search query off to another safe location and replace the query with something that for sure will fire

index=_internal | head 1
| table index, sourcetype

Then see if that search will fire off an alert, if it doesn't you know that you have a configuration setting messed up in the correlation search.

Hope this helps