Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk for PCI Compliance App not creating not...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for PCI Compliance App not creating notable event
Hi!
I'm implementing the Splunk App for PCI Compliance and I have problem with notable events not being created for excessive failed login on a custom sourcetype with a custom "app=sam"
The corresponding search (Access - Excessive Failed Logins - Rule) recognizes correctly the events and the events are also placed in the "access_summary" index ("index=access_summary app=sam count>50" returns my excessive failed logins). But no Notable event has been created in the "index=notable" ("index=notable app=sam" doesn't return any event)
The original events produce the requested fields: host,action,app,src,src_user,dest,user
Any ideas?
Thanks,
Marco Scala
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello What we found was that the search was in Real Time and the Limits.conf have a limit number of searches so the new real-time search was out of that Limit, the PCI APP have several real-time searches so it is very easy to reach the limit in limits.conf When we modify that limit everything was fine, at least that solve our problem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I don't know for PCI app but if it's like ES, I think you should verify that your logs are tagged following CIM (not just the fields) then wait a bit (like 30 minutes) until the PCI app find them to be able to generate events and retest ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Matthieu,
I also implemented ES and was fine. I'm not working on that project any more, and I remember that the logs were tagged following CIM, otherwise the Correlational Rule doesn't recognize them and apply.
Marco
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone found an answer to this question? I am running into the same issue. The data appears to be there if I look at the events returned in Verbose mode but in the table view or in Smart mode, the results are zero.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you been resolved this?
Sadly I see very few activity on PCI Compliance APP questions
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
