Archive
Highlighted

SplunkES - How does the correlation search results goto 'notable' index ?

Motivator

How does the results of the correlation events go to "notable" index ?
Is there any configuration file for this ?

Also , If i manually call a correlation search , will that results also goes to notable index?

Tags (2)
0 Karma
Highlighted

Re: SplunkES - How does the correlation search results goto 'notable' index ?

Champion

The events are sent to the notable index via a summary indexing alert action. Below is a sample of a correlation searches alert action that summary indexes the results:

[Endpoint - Host Sending Excessive Email - Rule]
action.summary_index          = 1
action.summary_index._name    = notable
action.summary_index.ttl      = 1p

Manually running the search interactively won't trigger the alert actions (that is something that the scheduler does).