All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for PCI Compliance App not creating notable event

marcoscala
Builder
‎11-22-2013 08:41 AM

Hi!
I'm implementing the Splunk App for PCI Compliance and I have problem with notable events not being created for excessive failed login on a custom sourcetype with a custom "app=sam"

The corresponding search (Access - Excessive Failed Logins - Rule) recognizes correctly the events and the events are also placed in the "access_summary" index ("index=access_summary app=sam count>50" returns my excessive failed logins). But no Notable event has been created in the "index=notable" ("index=notable app=sam" doesn't return any event)

The original events produce the requested fields: host,action,app,src,src_user,dest,user

Any ideas?

Thanks,
Marco Scala

0 Karma
Reply

israelgutierrez
Path Finder
‎04-25-2014 12:31 PM

Hello What we found was that the search was in Real Time and the Limits.conf have a limit number of searches so the new real-time search was out of that Limit, the PCI APP have several real-time searches so it is very easy to reach the limit in limits.conf When we modify that limit everything was fine, at least that solve our problem

0 Karma
Reply

matthieu_araman
Communicator
‎04-23-2014 02:23 AM

Hello,

I don't know for PCI app but if it's like ES, I think you should verify that your logs are tagged following CIM (not just the fields) then wait a bit (like 30 minutes) until the PCI app find them to be able to generate events and retest ?

0 Karma
Reply

marcoscala
Builder
‎04-23-2014 03:31 AM

Thanks Matthieu,
I also implemented ES and was fine. I'm not working on that project any more, and I remember that the logs were tagged following CIM, otherwise the Correlational Rule doesn't recognize them and apply.

Marco

0 Karma
Reply

msmapper
Path Finder
‎04-18-2014 12:24 PM

Has anyone found an answer to this question? I am running into the same issue. The data appears to be there if I look at the events returned in Verbose mode but in the table view or in Smart mode, the results are zero.

0 Karma
Reply

israelgutierrez
Path Finder
‎03-18-2014 09:18 PM

Have you been resolved this?

Sadly I see very few activity on PCI Compliance APP questions

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...