topic Re: notable index not populating events for Splunk enterprise security appurity app in Splunk Enterprise Security

notable index not populating events for Splunk enterprise security appurity app

Arun — Thu, 04 Feb 2021 12:00:11 GMT

Can anyone help me im understanding why the notable events are not getting populated on splunk enterprise security.

Ive reinstalled the enterprise security app to see if that fixs the problem. But no luck.

Also ive enabled the corelation searches that are shipped by default by the app. The CS search returns the event result when explicitly searched but when the scheduled toh run no notable events are generated. I manually tired creating a notable events. still i do not see any of the notable events in security posture or other tabs.

To validate ive checked the notable index (i.e. index="notable") but even the notable index returns 0 events.I tried all but no luck.

Can someone help we you understanding what is causing the issue

Re: notable index not populating events for Splunk enterprise security appurity app

lkutch_splunk — Thu, 04 Feb 2021 17:07:57 GMT

Let me know if this helps:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables

Re: notable index not populating events for Splunk enterprise security appurity app

scelikok — Thu, 04 Feb 2021 19:39:26 GMT

i @Arun,

If you are using indexer cluster, you should have create indexes that ES will use on your indexers. notable index is one of these. Could you please check if you may miss this step?

https://docs.splunk.com/Documentation/ES/6.4.1/Install/Indexes