All Apps and Add-ons

Backfilling for ES correlation searches does not produce Notable events


We recently had an issue with the Splunk scheduler wherein correlation searches weren't running (fixed by simply restarting the SHC members).

Due to this, we've lost Notable events. I thought I could backfill these using the script however it seems this may not be correct?

I'm able to successfully kick off "back filling" correlation searches however I'm not seeing any Notable events added to the notable index.

splunk cmd -app <app> -name <search> -et <start epoch> -lt <end epoch> -dedup true -nolocal true -j 4 (for example)

Can someone please confirm or deny this?

Labels (2)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...