Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlation search not showing notable in Incident Review?

muradgh
Path Finder
‎02-13-2023 05:02 AM

Hi Splunkers.

I have noticed a strange behavior from Splunk, I have a correlation search that I have created a while ago, ensured to select "Notable" under the Adaptive Responsive section so that it creates a notable, also tested that when I run the search manually it produced results. BUT it does not generate notables in the Incident Review dashboard!

So I went and searched index=notable and found 4 events for this correlation search in the last 30 days!
Then I checked the same index for another correlation search that DOES generate notables in the Incident Review dashboard (4 notables in the last 30 days) and indeed I found 4 events in the notable index!

I also used the "Correlation Search Audit" app (https://splunkbase.splunk.com/app/4144) and Indeed this app shows that this correlation search has been triggered 4 times in the last 30 days! 

The search does not have any lookups (In case you asked about the permissions of the lookups).
The search does use the Web data model (and it has Global permissions).

I'm using the admin user so I have sufficient privileges.

I'm using:
Splunk Enterprise version: 8.1.0
Enterprise Security version: 6.2.0
OS: Red Hat Enterprise Linux Server 7.7 (Maipo)

Any Idea why this is happening? 

Labels (3)
0 Karma
Reply

neerajs_81
Builder
‎02-13-2023 05:24 AM

What you are describing happens when the correlation rule is suppressed.  Did you check the suppression page for this alert ? 
Secondly when you ran the search manually , did it produce results in a tabular format ?  Typically correlation search results are in a tabular format.

P.S Pls upvote if this helps.

0 Karma
Reply

muradgh
Path Finder
‎02-13-2023 05:26 AM

I have checked but nope, it's not suppressed.
And yes the search produces results in a tabular format

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2023 05:15 AM

Perhaps the NE is being suppressed.  Check by going to Configure->Incident Management->Notable Event Suppressions

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

muradgh
Path Finder
‎02-13-2023 05:23 AM

I have checked but nope, it's not suppressed

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...