Solved: notable exist but incident review has no values

Mohamad_Alaa · ‎11-28-2023

I created a manual correlation search with the below SPL --> the action is notable creation

splunk_server=* index=* host=x.x.x.x "login" | stats count by src_ip | where count > 3

after that i can see the notable created from the search tab

index=notable

but still the incident review has no values

any hints guys?

Mohamad_Alaa · ‎11-29-2023

problem solved, i appreciate all your responses

once i search in SH, i should use the parameter splunk_server=* in order to see results
So obviously this was my issue as i should see results without such paramter

modified the below on SH, solved it

C:\Program Files\Splunk\etc\system\local\distsearch.conf

[distributedSearch:dmc_group_indexer]

default = false

View solution in original post

Mohamad_Alaa · ‎11-29-2023

problem solved, i appreciate all your responses

once i search in SH, i should use the parameter splunk_server=* in order to see results
So obviously this was my issue as i should see results without such paramter

modified the below on SH, solved it

C:\Program Files\Splunk\etc\system\local\distsearch.conf

[distributedSearch:dmc_group_indexer]

default = false

gcusello · ‎11-29-2023

hi @Mohamad_Alaa ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Mohamad_Alaa · ‎11-29-2023

kindly find the screenshot for the full correlation search and notable configuration

gcusello · ‎11-29-2023

Hi @Mohamad_Alaa ,

if you insert the threshold in the search (where count>3), you don't need to put the condition results>1 also in the Trigger conditions, use results>0.

In addition, avoid realtime searches, always use continous.

at least,whey do you have a time period of 24 hours and a scheduling of every 5 minutes?

Ciao.

Giuseppe

Mohamad_Alaa · ‎11-29-2023

Thank @gcusello for your response
i edited that in all cases, but the notable was already created so no problem if continous or real time or even if the trigger>1

what do you think regarding incident review page?

gcusello · ‎11-29-2023

hi @Mohamad_Alaa ,

check if you have filters compatible with the values you defined for the Notable.

Ciao.

Giuseppe

Mohamad_Alaa · ‎11-28-2023

yes exactly the same, the only different they used deep search but i didn't
Noting that notable already exist so the trigger is working and the response is working by creating a notable
The severity is high for this notable

Any other advice?

gcusello · ‎11-29-2023

hi @Mohamad_Alaa ,

which time period did you used in the Correlation Search?

Ciao.

Giuseppe

gcusello · ‎11-28-2023

Hi @Mohamad_Alaa ,

did you inserted also the other values in the Correlation search panel?

especially Action: create Notable with all the requested information?

See the information in another Correlation Search to understand if you forgot something.

Ciao.

Giuseppe

notable exist but incident review has no values

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...