Why are Notable events in Splunk ES not being trig...

AL3Z · ‎03-22-2023

Hi,

Greetings! I am attempting to utilize Splunk ES functionality by using a test index After creating a correlation search, I added a trigger action to create a notable event on the search head (SH).

Any ideas of how to troubleshoot this, or what might be wrong greatly appreciated.

gcusello · ‎03-25-2023

Hi @AL3Z ,

at first, check if the Correlation Search is enabled and trigger events, you can test this manually running the search in the same time period you configuresd for you Correlation Search.

Then you should check if the action of Notable Creation is correctly configured.

Ciao.

Giuseppe

glc_slash_it · ‎03-25-2023

Hey!

Here goes some silly questions to help debug that.

Is the correlation search enabled? Also check permissions.

Is the search actually producing results to trigger the action?

Usually correlation searches run with a time interval of the last 5min. Is your search producing results on the last 5min?

------------
If this was helpful, some karma would be appreciated.

Why are Notable events in Splunk ES not being triggered?

drilldown

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7