Automation Rules Not Working After ES 8.4 Upgrade

openbase · ‎03-06-2026

After upgrading from ES 8.1 to ES 8.4, automation rules are no longer functioning.

When detections are triggered based on events, playbooks should execute automatically, but they are not running. Additionally, no records are being logged in the automation history.

I would like to know how to resolve this issue.

openbase · ‎03-27-2026

The issue has been resolved as follows.

If you encounter the same issue, please refer to the steps below.

Root cause:
The "main" input under Settings > Data Inputs > SOAR Findings Dispatcher was disabled.

Resolution:
Enable the "main" input.

When using Automation Rules in ES, playbooks are automatically triggered through this input.

After the upgrade, this input may become disabled for an unknown reason, which can cause Automation Rules to not function properly.

The exact root cause is still under investigation.

Please take this as reference.

Automation Rules Not Working After ES 8.4 Upgrade

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Automation Rules Not Working After ES 8.4 Upgrade

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future