topic How to troubleshoot notable events not generating / not showing under Incident Review? in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-troubleshoot-notable-events-not-generating-not-showing/m-p/466711#M6983 <P>Splunk Enterprise v7.0.1</P> <P>Some notable events are showing in Incident Review but not all. </P> <P>We are missing some notables that used to show/generate fine in the past. </P> <P>Not sure if related but running MC Health Check shows the following - </P> <OL> <LI><P>Orphaned scheduled searches Splunk Miscellaneous configuration, search<BR /><BR /> One or more scheduled searches are orphaned, meaning that they are no longer associated with valid owners. The scheduler will not run orphaned scheduled searches.</P></LI> <LI><P>Search scheduler skip ratio Data Search scheduler<BR /><BR /> Scheduled searches are being skipped on one or more search heads.</P></LI> </OL> Tue, 17 Dec 2019 16:47:12 GMT natemax 2019-12-17T16:47:12Z How to troubleshoot notable events not generating / not showing under Incident Review? https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-troubleshoot-notable-events-not-generating-not-showing/m-p/466711#M6983 <P>Splunk Enterprise v7.0.1</P> <P>Some notable events are showing in Incident Review but not all. </P> <P>We are missing some notables that used to show/generate fine in the past. </P> <P>Not sure if related but running MC Health Check shows the following - </P> <OL> <LI><P>Orphaned scheduled searches Splunk Miscellaneous configuration, search<BR /><BR /> One or more scheduled searches are orphaned, meaning that they are no longer associated with valid owners. The scheduler will not run orphaned scheduled searches.</P></LI> <LI><P>Search scheduler skip ratio Data Search scheduler<BR /><BR /> Scheduled searches are being skipped on one or more search heads.</P></LI> </OL> Tue, 17 Dec 2019 16:47:12 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-troubleshoot-notable-events-not-generating-not-showing/m-p/466711#M6983 natemax 2019-12-17T16:47:12Z Re: How to troubleshoot notable events not generating / not showing under Incident Review? https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-troubleshoot-notable-events-not-generating-not-showing/m-p/466712#M6984 <P>The MC Health Check explained why you are missing notable events. </P> <OL> <LI>You have orphaned scheduled searches, which won't run. Scheduled/correlation searches that don't run don't produce notables. Assign the searches to another user.</LI> <LI>Skipped searches don't run and, therefore, don't product notables. Find out why the searches were skipped and make the necessary corrections.</LI> </OL> Tue, 17 Dec 2019 18:44:38 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-troubleshoot-notable-events-not-generating-not-showing/m-p/466712#M6984 richgalloway 2019-12-17T18:44:38Z