https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/526396#M88801 <P><SPAN>I found a reason. inputs.conf file was removed while installing CIM app to follow addon installation in distributed environment guide. Some addons are exceptional, I should have read manual carefully.&nbsp; &nbsp;</SPAN></P> Mon, 26 Oct 2020 02:30:19 GMT eegiievol 2020-10-26T02:30:19Z https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/519827#M87888 <P>We are unable to see our notable events when correlation search criteria met. Upon investigation, found out that notable index is empty, which resulting&nbsp;<A href="https://10.133.3.201:8000/en-US/manager/search/data/transforms/lookups/es_notable_events?action=edit&amp;ns=SplunkEnterpriseSecuritySuite&amp;f_ns=search&amp;f_pwnr=-&amp;f_search=notable&amp;f_count=25&amp;uri=%2FservicesNS%2Fnobody%2FSplunkEnterpriseSecuritySuite%2Fdata%2Ftransforms%2Flookups%2Fes_notable_events" target="_blank" rel="noopener nofollow noopener noreferrer">es_notable_events</A>&nbsp; kvstore lookup empty. Correlation search has no issue because we could see other AR actions triggered except notable.&nbsp;</P><P>Our environment:<BR /><SPAN>2 indexers with cluster configuration, 1 SH, 1 stack of MC/License master/Deployment server, 1 Cluster Master. ES version:&nbsp;6.2.0, Enterprise version:&nbsp;8.0.5</SPAN></P><P>Hope someone can give me a hand<SPAN>&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eegiievol_0-1600234991221.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10861i33D1979673402944/image-size/medium?v=v2&amp;px=400" role="button" title="eegiievol_0-1600234991221.png" alt="eegiievol_0-1600234991221.png" /></span></P><P>&nbsp;</P> Wed, 16 Sep 2020 05:44:08 GMT https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/519827#M87888 eegiievol 2020-09-16T05:44:08Z https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/519830#M87889 <P>check the status of kvstore on search head. status should be ready.</P><LI-CODE lang="markup">| rest splunk_server=local /services/server/info | table kvStoreStatus</LI-CODE><P>&nbsp;</P> Wed, 16 Sep 2020 06:15:56 GMT https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/519830#M87889 thambisetty 2020-09-16T06:15:56Z https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/519835#M87890 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eegiievol_0-1600237327509.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10862i758306B8EB2F0D09/image-size/medium?v=v2&amp;px=400" role="button" title="eegiievol_0-1600237327509.png" alt="eegiievol_0-1600237327509.png" /></span></P><P>&nbsp;</P> Wed, 16 Sep 2020 06:22:17 GMT https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/519835#M87890 eegiievol 2020-09-16T06:22:17Z https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/526396#M88801 <P><SPAN>I found a reason. inputs.conf file was removed while installing CIM app to follow addon installation in distributed environment guide. Some addons are exceptional, I should have read manual carefully.&nbsp; &nbsp;</SPAN></P> Mon, 26 Oct 2020 02:30:19 GMT https://community.splunk.com/t5/Getting-Data-In/ES-notable-index-empty-resulting-empty-notable-dashboards/m-p/526396#M88801 eegiievol 2020-10-26T02:30:19Z