I have an issue at a customer where ES is not showing the notables on the incident management page or the security posture page. I have confirmed that the custom correlation searches are enabled, and they are successfully running and creating alerts looking at the "Activity" -> "Alerts" page.
I have found that the "Notables" Index is empty over the past 30 days.
Would really appreciate some assistance on this topic? as i have looked at all the articles on answers and cannot seem to find the issue.
Your correlation search needs to run an adaptive response called "Notable" which then will create a notable event with all the necessary information to write into the notable index. Did you check that your CS has the notable action enabled?
Yes, we have checked this and all the custom CS's have got the notable action enabled.
Do you have the Monitoring Console enabled somewhere? Checked for skipped searches?
Yes, we do. I can see a couple of skipped searches, but when looking at the CS's in content management they have 100% success rate and no skipped searches at all.
Okay, that's strange. Can you try to manually create a notable event and see whether the notable event gets created? https://docs.splunk.com/Documentation/PCI/4.1.0/Install/Notableevents#Create_a_notable_event_from_an...
What version of Core and ES are running?
manually created the notable from event actions, nothing in Notable index and nothing in Incident Management. We are running Splunk Enterprise 8.0.1 with ES 6.x.
Im stumped on this one! strange thing is that the custom CS's were creating notables and showing in the Incident managment page as well as the Notable Index, and then stopped on the 27th February for some reason.
Answering my own question here so that everyone is aware.
Problem was related to "SplunkSAcim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.