https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630637#M11309 <P>Hi Splunkers.</P> <P>I have noticed a strange behavior from Splunk, I have a correlation search that I have created a while ago, ensured to select "Notable" under the&nbsp;<STRONG>Adaptive Responsive section</STRONG>&nbsp;so that it creates a notable, also tested that when I run the search manually it produced results. BUT it does not generate notables in the&nbsp;<STRONG>Incident Review</STRONG>&nbsp;dashboard!<BR /><BR />So I went and searched&nbsp;index=notable and found 4 events for this&nbsp;correlation search in the last 30 days!<BR />Then I checked the same index for another&nbsp;correlation search that DOES&nbsp;generate notables in the&nbsp;Incident Review&nbsp;dashboard (4 notables in the last 30 days) and indeed I found 4 events in the notable index!<BR /><BR />I also used the "Correlation Search Audit" app (<A href="https://splunkbase.splunk.com/app/4144)" target="_blank" rel="noopener">https://splunkbase.splunk.com/app/4144)</A>&nbsp;and Indeed this app shows that this&nbsp;correlation search has been triggered 4 times in the last 30 days!&nbsp;<BR /><BR />The search does not have any lookups (In case you asked about the <SPAN>permissions of the lookups</SPAN>).<BR />The search does use the Web data model (and it has <SPAN>Global permissions</SPAN>).<BR /><BR />I'm using the admin user so I have&nbsp;sufficient privileges.<BR /><BR />I'm using:<BR />Splunk Enterprise version: 8.1.0<BR />Enterprise Security version: 6.2.0<BR />OS:&nbsp;Red Hat Enterprise Linux Server 7.7 (Maipo)<BR /><BR />Any Idea why this is happening?&nbsp;</P> Mon, 13 Feb 2023 17:13:42 GMT muradgh 2023-02-13T17:13:42Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630637#M11309 <P>Hi Splunkers.</P> <P>I have noticed a strange behavior from Splunk, I have a correlation search that I have created a while ago, ensured to select "Notable" under the&nbsp;<STRONG>Adaptive Responsive section</STRONG>&nbsp;so that it creates a notable, also tested that when I run the search manually it produced results. BUT it does not generate notables in the&nbsp;<STRONG>Incident Review</STRONG>&nbsp;dashboard!<BR /><BR />So I went and searched&nbsp;index=notable and found 4 events for this&nbsp;correlation search in the last 30 days!<BR />Then I checked the same index for another&nbsp;correlation search that DOES&nbsp;generate notables in the&nbsp;Incident Review&nbsp;dashboard (4 notables in the last 30 days) and indeed I found 4 events in the notable index!<BR /><BR />I also used the "Correlation Search Audit" app (<A href="https://splunkbase.splunk.com/app/4144)" target="_blank" rel="noopener">https://splunkbase.splunk.com/app/4144)</A>&nbsp;and Indeed this app shows that this&nbsp;correlation search has been triggered 4 times in the last 30 days!&nbsp;<BR /><BR />The search does not have any lookups (In case you asked about the <SPAN>permissions of the lookups</SPAN>).<BR />The search does use the Web data model (and it has <SPAN>Global permissions</SPAN>).<BR /><BR />I'm using the admin user so I have&nbsp;sufficient privileges.<BR /><BR />I'm using:<BR />Splunk Enterprise version: 8.1.0<BR />Enterprise Security version: 6.2.0<BR />OS:&nbsp;Red Hat Enterprise Linux Server 7.7 (Maipo)<BR /><BR />Any Idea why this is happening?&nbsp;</P> Mon, 13 Feb 2023 17:13:42 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630637#M11309 muradgh 2023-02-13T17:13:42Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630638#M11310 <P>Perhaps the NE is being suppressed.&nbsp; Check by going to Configure-&gt;Incident Management-&gt;Notable Event Suppressions</P> Mon, 13 Feb 2023 13:15:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630638#M11310 richgalloway 2023-02-13T13:15:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630639#M11311 <P>I have checked but nope, it's not&nbsp;<SPAN>suppressed</SPAN></P> Mon, 13 Feb 2023 13:23:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630639#M11311 muradgh 2023-02-13T13:23:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630640#M11312 <P>What you are describing happens when the correlation rule is suppressed.&nbsp; Did you check the suppression page for this alert ?&nbsp;<BR />Secondly when you ran the search manually , did it produce results in a tabular format ?&nbsp; Typically correlation search results are in a tabular format.<BR /><BR />P.S Pls upvote if this helps.</P> Mon, 13 Feb 2023 13:24:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630640#M11312 neerajs_81 2023-02-13T13:24:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630641#M11313 <P><SPAN>I have checked but nope, it's not&nbsp;</SPAN><SPAN>suppressed.<BR />And yes the search produces&nbsp;results in a tabular format</SPAN></P> Mon, 13 Feb 2023 13:26:31 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Correlation-search-not-showing-notable-in-Incident-Review/m-p/630641#M11313 muradgh 2023-02-13T13:26:31Z