Solved: Splunk Enterprise Security and Notable Events

Alteek · ‎02-16-2015

Hi,

I"m running the Enterprise Security app and I"m facing the following issue:

Notable events or Incidents are created on the Search Head, and stored localy on it (in the "notable" index for instance).
I can see that there is events on this index, but I'm not able to search for them (index=notable return no result).

1) Do I have to modify something ?
2) Do I have to generate these events on the indexers and not the search head ?

Thank you<
Regards

Alteek · ‎02-17-2015

Hi LukeMurphey,

I was looking directly into the search head.

I had a discussion with people from Splunk IRC, and they helped me on that.
As the index is located on the search head itself, you need to add the "| localop " command to have access to it.
I was using it the wrong way, all events needed to be forwarded back to the indexers (using the outputs.conf).

Hope it could help someone else.

Thank you again,
Regards

View solution in original post

Alteek · ‎02-17-2015

Hi LukeMurphey,

I was looking directly into the search head.

I had a discussion with people from Splunk IRC, and they helped me on that.
As the index is located on the search head itself, you need to add the "| localop " command to have access to it.
I was using it the wrong way, all events needed to be forwarded back to the indexers (using the outputs.conf).

Hope it could help someone else.

Thank you again,
Regards

LukeMurphey · ‎02-16-2015

Where are you searching for the notable events that it is returning no results? You are correct that notable events are on the search head only. Are they not showing up on your search head? Let me know and I'll write up a answer for you.

Splunk Enterprise Security and Notable Events

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms