Splunk Enterprise Security

Splunk Enterprise Security: How to manually trigger notables?

koshyk
Super Champion

We had an outage of 2 hours for all Enterprise Security Search Heads. During this period, we missed few notables to "Incident View" screen. Of-course when Splunk came back-up it started cron jobs from that point onwards and the 2 hours worth of notables is not triggered.
(THese notables are generated using savedsearches within Enterprise Security)
So my query
- if I know the time period and savedsearches/co-relation search for Use-case. How to trigger notables to "Incident Review" dashboard manually?

The only piece I don't know is search to notables index insertion. If you guys know the summary-indexing search to notables , it would be very helpful

0 Karma

wenthold
Communicator

If you search for the events manually under the Splunk Enterprise Security search context (ES->Search->Search), "Create Notable Event" will be one of the options available from the "Event Actions" drop down in the search results.

AFAIK, this will only work with raw search results. I don't believe you can manually create notables from tstats/stats/etc. results.

0 Karma

koshyk
Super Champion

I've almost found a way to create notables from tstats. just testing few more notables and duplicates to validate this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...