- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've hit a bit of a road block trying to set up some custom correlation searches, which are very similar to others that work successfully.
The data model is configured and generates events; and I have a pivot search that generates events. When setting up others, this worked fine, however, on the last two I've tried setting, it appears to not be generating events. The time frame is the last 60 minutes, and the notable has some variables.
The inspector shows that it is not able to find events (considering the search runs fine in flashtimeline). I know it is a bit ambiguous, but is there anything obvious I could be missing?
hmmm....
Thanks. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out the correlation searches didn't like the eventtype, I have temporary work around and will have to revisit this at a later date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out the correlation searches didn't like the eventtype, I have temporary work around and will have to revisit this at a later date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![tskinnerivsec tskinnerivsec](https://community.splunk.com/legacyfs/online/avatars/130387.jpg)
1st, you need to test the triggering condition, then manually run your search and verify that you are capturing results with the searches that you are using for your correlations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![jwelch_splunk jwelch_splunk](https://community.splunk.com/legacyfs/online/avatars/208084.jpg)
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Are they Scheduled or RT Searches? How many cores are on your ES SH? I assume you are created custom DM's for these or are you using one out of the box? Are they accelerated?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![tskinnerivsec tskinnerivsec](https://community.splunk.com/legacyfs/online/avatars/130387.jpg)
I would take a serious look at time synchronization across your environment. Correlation searches depend heavily on all the monitored devices having the same time. They should all be using ntp and syncing from the same times source.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scheduled searches,
16 cores,
Custom DM,
Not accelerated 🙂
![](/skins/images/396DDBEEAC295EB5FEC41FF128E8AC0A/responsive_peak/images/icon_anonymous_message.png)