Splunk Enterprise Security

After upgrading Splunk Enterprise Security from 3.1 to 4.1.1, why did I get so many "correlation to fail" errors?

rajksplunk
New Member

Network - Unusual Volume of Network Activity - Rule"
"Network - Substantial Increase in an Event - Rule"

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

@rajksplunk -- Each of those correlation searches use extreme search. If the correlation searches themselves are enabled but the context generation searches are not, the correlation search will fail. See http://docs.splunk.com/Documentation/ES/4.1.1/User/ExtremeSearch for more on how extreme search works. Did these searches work (and were they enabled) before you upgraded?

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

@rajksplunk -- Each of those correlation searches use extreme search. If the correlation searches themselves are enabled but the context generation searches are not, the correlation search will fail. See http://docs.splunk.com/Documentation/ES/4.1.1/User/ExtremeSearch for more on how extreme search works. Did these searches work (and were they enabled) before you upgraded?

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...