Splunk Enterprise Security: How to manually trigge...

koshyk · ‎05-03-2017

We had an outage of 2 hours for all Enterprise Security Search Heads. During this period, we missed few notables to "Incident View" screen. Of-course when Splunk came back-up it started cron jobs from that point onwards and the 2 hours worth of notables is not triggered.
(THese notables are generated using savedsearches within Enterprise Security)
So my query
- if I know the time period and savedsearches/co-relation search for Use-case. How to trigger notables to "Incident Review" dashboard manually?

The only piece I don't know is search to notables index insertion. If you guys know the summary-indexing search to notables , it would be very helpful

wenthold · ‎05-03-2017

If you search for the events manually under the Splunk Enterprise Security search context (ES->Search->Search), "Create Notable Event" will be one of the options available from the "Event Actions" drop down in the search results.

AFAIK, this will only work with raw search results. I don't believe you can manually create notables from tstats/stats/etc. results.

koshyk · ‎05-07-2017

I've almost found a way to create notables from tstats. just testing few more notables and duplicates to validate this.

Splunk Enterprise Security: How to manually trigger notables?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?