https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413263#M4911 <P>I have a search in which is generating results when I have it set as an alert and is successfully creating and event in the notable index. However, when I look on the Incident Review dashboard it does not show. I have multiple other searches/alerts which are working without any issues. Has anyone experienced this or been able to resolve this? I've tried rebuilding the search/alert, but am still having the same issue (notable event is generated, but does not show in the Incident Review dashboard).</P> Fri, 18 Jan 2019 15:11:38 GMT arlombar 2019-01-18T15:11:38Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413263#M4911 <P>I have a search in which is generating results when I have it set as an alert and is successfully creating and event in the notable index. However, when I look on the Incident Review dashboard it does not show. I have multiple other searches/alerts which are working without any issues. Has anyone experienced this or been able to resolve this? I've tried rebuilding the search/alert, but am still having the same issue (notable event is generated, but does not show in the Incident Review dashboard).</P> Fri, 18 Jan 2019 15:11:38 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413263#M4911 arlombar 2019-01-18T15:11:38Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413264#M4912 <P>Can you share your correlation search (after masking sensitive data)?</P> Mon, 28 Jan 2019 22:13:54 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413264#M4912 lakshman239 2019-01-28T22:13:54Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413265#M4913 <P>Run you MC Health Checks and see if you have any <CODE>Skipped Searches</CODE> (I assume that you will find that you do). You can also use the <CODE>ES Health Check</CODE> app for this. It is possible that the search that populates the dashboard from what ends up in the notable index is not being run because of too much load (skipped searches). As a test (and a temporary work-around until you can fix the skipped-searches problem), you can manually run the <CODE>ESS - Notable Events</CODE>. It is safe to run this at any time and it will update the <CODE>Security Posture</CODE> dashaboard to the latest notables state.</P> Mon, 28 Jan 2019 23:33:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413265#M4913 woodcock 2019-01-28T23:33:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413266#M4914 <P>Sorry for my late reply, thanks for your suggestions. Could you explain how I would run "ESS - Notable Events"? Is this a built in search or something in the UI? I know how to look at the index in a search, but just wanted to be clear what you are advising to do as the work around. Also, I ran a health check on the MC and the only issue that came back was for a skipped search, but when I drilled down to see what search was being skipped, it was unrelated to the one I am having an issue with.</P> Wed, 06 Feb 2019 17:27:08 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413266#M4914 arlombar 2019-02-06T17:27:08Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413267#M4915 <P>Go to <CODE>Settings</CODE> -&gt; <CODE>Searches, reports, and alerts</CODE> and search for <CODE>ESS - Notable Events</CODE>. Then click <CODE>Run</CODE>.</P> Fri, 08 Feb 2019 18:18:08 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Notable-event-missing-from-Incident-Review-dashboard/m-p/413267#M4915 woodcock 2019-02-08T18:18:08Z