Solved: Re: ES notable index empty resulting empty notable...

eegiievol · ‎09-15-2020

We are unable to see our notable events when correlation search criteria met. Upon investigation, found out that notable index is empty, which resulting es_notable_events kvstore lookup empty. Correlation search has no issue because we could see other AR actions triggered except notable.

Our environment:
2 indexers with cluster configuration, 1 SH, 1 stack of MC/License master/Deployment server, 1 Cluster Master. ES version: 6.2.0, Enterprise version: 8.0.5

Hope someone can give me a hand

eegiievol · ‎10-25-2020

I found a reason. inputs.conf file was removed while installing CIM app to follow addon installation in distributed environment guide. Some addons are exceptional, I should have read manual carefully.

View solution in original post

eegiievol · ‎10-25-2020

I found a reason. inputs.conf file was removed while installing CIM app to follow addon installation in distributed environment guide. Some addons are exceptional, I should have read manual carefully.

thambisetty · ‎09-15-2020

check the status of kvstore on search head. status should be ready.

| rest splunk_server=local  /services/server/info | table kvStoreStatus

————————————
If this helps, give a like below.

eegiievol · ‎09-15-2020

ES notable index empty resulting empty notable dashboards

index

Linux

source

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms