Splunk Enterprise Security

After upgrading Splunk Enterprise Security from 3.1 to 4.1.1, why did I get so many "correlation to fail" errors?

New Member

Network - Unusual Volume of Network Activity - Rule"
"Network - Substantial Increase in an Event - Rule"

0 Karma
1 Solution

Splunk Employee
Splunk Employee

@rajksplunk -- Each of those correlation searches use extreme search. If the correlation searches themselves are enabled but the context generation searches are not, the correlation search will fail. See http://docs.splunk.com/Documentation/ES/4.1.1/User/ExtremeSearch for more on how extreme search works. Did these searches work (and were they enabled) before you upgraded?

View solution in original post

Splunk Employee
Splunk Employee

@rajksplunk -- Each of those correlation searches use extreme search. If the correlation searches themselves are enabled but the context generation searches are not, the correlation search will fail. See http://docs.splunk.com/Documentation/ES/4.1.1/User/ExtremeSearch for more on how extreme search works. Did these searches work (and were they enabled) before you upgraded?

View solution in original post