Splunk Enterprise Security

Custom Search and notable events

udayk1
Path Finder

We have certain custom searches in Enterprise Security App for example "New MAC Address found in the network", even though I am seeing the results of this search this doesn't raise a notable event and showing in the 'Incident Review' panel, what can be the issue?

Also the same search which worked 45 days back, now it is not working. Can you please help me?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You need to create the search as a Correlation Search. In ES that utilizes the Notable Framework and allows you to see these under Incident Review. You can also create Notables through the Workflow actions on a specific Event.

Make sure your search is enabled and working.

udayk1
Path Finder

Hello esix_splunk, yes this is a Correlation Search and the notable events did trigger for some time and hence then these all alerts have been discontinued (not sure why). We would want to know the reason for this because there were no changes in the Splunk server we carried out. How can we figure this out? Any screenshots you may want? Or do you recommend to open a Splunk Support case?

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...