Splunk Enterprise Security

Notable events aren't shown in Incident Review

kanam
Loves-to-Learn Everything

I created correlation search and add Notable action as "Adaptive Response Actions".

By running search there are some events and actually Activity>Jobs shows events are existing.

However "Incident Review" doesn't display any event.

#I configure "Throttling" disable by setting "Window duration" as "0".

Labels (2)
0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

Hi, 
There's a new page in the docs about troubleshooting missing notable events in Splunk Enterprise Security. Maybe one of these tips will help: 
https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Troubleshootnotables

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...