Splunk Enterprise Security

Enteprise Security and notable events creation issue

vinz2020
Engager

Dear all

I have an issue with a new dedicated Search Head for ES.
My Splunk architecture is quite simple. 4 clustered indexers, 3 SH, and 1 dedicated SH for ES
everything is working fine, except the ES notable events : the index notable remains empty.

In the SH, search peer list : everything is OK, indexers are defined
All the events of the SH are sent to the indexers, the notable index has been created there

I have correlation searches active with 2 actions : notable and json alerting.
- JSON alerting is OK
- notable : not OK

If I manually create a notable event on ES, I can see it in the index main, with a strange sourcetype (“stash_common_action_model-too_small”)
I have found it with the following request “index=main notable”

“1589789135, search_name="Manual Notable Event - Rule", _time="1589789135", app="SplunkEnterpriseSecuritySuite", creator="XXXX", info_max_time="+Infinity", info_min_time="0.000", info_search_time="1589789135.348247000", owner="XXXX", rule_description="hello world", rule_title="test5", security_domain="access", status="1", urgency="informational"

=> is there an issue with this sourcetype / index ?
=> or any idea for troubleshooting ?

thank you in advance
PS: a Splunk ticket was opened 10 days ago ... but I am still stuck

0 Karma

vinz2020
Engager

problem resolved with the support help

the inputs.conf from the ES app was corrupted
Splunk was not able to parse correctly the notable events.

with the correct inputs.conf file everything is working as expecting

0 Karma

As3r
Loves-to-Learn

Hello everybody,
i have the same problem, is there a way to reset the input.conf?

0 Karma
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...