We had an outage of 2 hours for all Enterprise Security Search Heads. During this period, we missed few notables to "Incident View" screen. Of-course when Splunk came back-up it started cron jobs from that point onwards and the 2 hours worth of notables is not triggered.
(THese notables are generated using savedsearches within Enterprise Security)
So my query
- if I know the time period and savedsearches/co-relation search for Use-case. How to trigger notables to "Incident Review" dashboard manually?
The only piece I don't know is search to notables index insertion. If you guys know the summary-indexing search to notables , it would be very helpful
If you search for the events manually under the Splunk Enterprise Security search context (ES->Search->Search), "Create Notable Event" will be one of the options available from the "Event Actions" drop down in the search results.
AFAIK, this will only work with raw search results. I don't believe you can manually create notables from tstats/stats/etc. results.