Splunk Enterprise Security

After upgrading Splunk Enterprise Security from 3.1 to 4.1.1, why did I get so many "correlation to fail" errors?

New Member

Network - Unusual Volume of Network Activity - Rule"
"Network - Substantial Increase in an Event - Rule"

0 Karma
1 Solution

Splunk Employee
Splunk Employee

@rajksplunk -- Each of those correlation searches use extreme search. If the correlation searches themselves are enabled but the context generation searches are not, the correlation search will fail. See http://docs.splunk.com/Documentation/ES/4.1.1/User/ExtremeSearch for more on how extreme search works. Did these searches work (and were they enabled) before you upgraded?

View solution in original post

Splunk Employee
Splunk Employee

@rajksplunk -- Each of those correlation searches use extreme search. If the correlation searches themselves are enabled but the context generation searches are not, the correlation search will fail. See http://docs.splunk.com/Documentation/ES/4.1.1/User/ExtremeSearch for more on how extreme search works. Did these searches work (and were they enabled) before you upgraded?

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!