Splunk Enterprise Security

Enteprise Security and notable events creation issue

vinz2020
Engager

Dear all

I have an issue with a new dedicated Search Head for ES.
My Splunk architecture is quite simple. 4 clustered indexers, 3 SH, and 1 dedicated SH for ES
everything is working fine, except the ES notable events : the index notable remains empty.

In the SH, search peer list : everything is OK, indexers are defined
All the events of the SH are sent to the indexers, the notable index has been created there

I have correlation searches active with 2 actions : notable and json alerting.
- JSON alerting is OK
- notable : not OK

If I manually create a notable event on ES, I can see it in the index main, with a strange sourcetype (“stash_common_action_model-too_small”)
I have found it with the following request “index=main notable”

“1589789135, search_name="Manual Notable Event - Rule", _time="1589789135", app="SplunkEnterpriseSecuritySuite", creator="XXXX", info_max_time="+Infinity", info_min_time="0.000", info_search_time="1589789135.348247000", owner="XXXX", rule_description="hello world", rule_title="test5", security_domain="access", status="1", urgency="informational"

=> is there an issue with this sourcetype / index ?
=> or any idea for troubleshooting ?

thank you in advance
PS: a Splunk ticket was opened 10 days ago ... but I am still stuck

0 Karma

vinz2020
Engager

problem resolved with the support help

the inputs.conf from the ES app was corrupted
Splunk was not able to parse correctly the notable events.

with the correct inputs.conf file everything is working as expecting

0 Karma

As3r
Loves-to-Learn

Hello everybody,
i have the same problem, is there a way to reset the input.conf?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...