Security

notable exist but incident review has no values

Mohamad_Alaa
Path Finder

I created a manual correlation search with the below SPL --> the action is notable creation

splunk_server=* index=* host=x.x.x.x "login" | stats count by src_ip | where count > 3

after that i can see the notable created from the search tab

index=notable

but still the incident review has no values

any hints guys?

Labels (1)
0 Karma
1 Solution

Mohamad_Alaa
Path Finder

problem solved, i appreciate all your responses

once i search in SH, i should use the parameter splunk_server=* in order to see results
So obviously this was my issue as i should see results without such paramter

modified the below on SH, solved it

C:\Program Files\Splunk\etc\system\local\distsearch.conf

[distributedSearch:dmc_group_indexer]

default = false

View solution in original post

0 Karma

Mohamad_Alaa
Path Finder

problem solved, i appreciate all your responses

once i search in SH, i should use the parameter splunk_server=* in order to see results
So obviously this was my issue as i should see results without such paramter

modified the below on SH, solved it

C:\Program Files\Splunk\etc\system\local\distsearch.conf

[distributedSearch:dmc_group_indexer]

default = false

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @Mohamad_Alaa ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

Mohamad_Alaa
Path Finder

kindly find the screenshot for the full correlation search and notable configuration

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mohamad_Alaa ,

if you insert the threshold in the search (where count>3), you don't need to put the condition results>1 also in the Trigger conditions, use results>0.

In addition, avoid realtime searches, always use continous.

at least,whey do you have a time period of 24 hours and a scheduling of every 5 minutes?

Ciao.

Giuseppe

0 Karma

Mohamad_Alaa
Path Finder

Thank @gcusello for your response
i edited that in all cases, but the notable was already created so no problem if continous or real time or even if the trigger>1

what do you think regarding incident review page?

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @Mohamad_Alaa ,

check if you have filters compatible with the values you defined for the Notable.

Ciao.

Giuseppe 

0 Karma

Mohamad_Alaa
Path Finder

yes exactly the same, the only different they used deep search but i didn't
Noting that notable already exist so the trigger is working and the response is working by creating a notable
The severity is high for this notable

Any other advice?

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @Mohamad_Alaa ,

which time period did you used in the Correlation Search?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mohamad_Alaa ,

did you inserted also the other values in the Correlation search panel?

especially Action: create Notable with all the requested information?

See the information in another Correlation Search to understand if you forgot something.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...