How to troubleshoot notable events not generating ...

natemax · ‎12-17-2019

Splunk Enterprise v7.0.1

Some notable events are showing in Incident Review but not all.

We are missing some notables that used to show/generate fine in the past.

Not sure if related but running MC Health Check shows the following -

Orphaned scheduled searches Splunk Miscellaneous configuration, search

One or more scheduled searches are orphaned, meaning that they are no longer associated with valid owners. The scheduler will not run orphaned scheduled searches.
Search scheduler skip ratio Data Search scheduler

Scheduled searches are being skipped on one or more search heads.

richgalloway · ‎12-17-2019

The MC Health Check explained why you are missing notable events.

You have orphaned scheduled searches, which won't run. Scheduled/correlation searches that don't run don't produce notables. Assign the searches to another user.
Skipped searches don't run and, therefore, don't product notables. Find out why the searches were skipped and make the necessary corrections.

---
If this reply helps you, Karma would be appreciated.

How to troubleshoot notable events not generating / not showing under Incident Review?