Splunk Enterprise Security

Splunk Enterprise Security and Notable Events

Alteek
Explorer

Hi,

I"m running the Enterprise Security app and I"m facing the following issue:

Notable events or Incidents are created on the Search Head, and stored localy on it (in the "notable" index for instance).
I can see that there is events on this index, but I'm not able to search for them (index=notable return no result).

1) Do I have to modify something ?
2) Do I have to generate these events on the indexers and not the search head ?

Thank you<
Regards

0 Karma
1 Solution

Alteek
Explorer

Hi LukeMurphey,

I was looking directly into the search head.

I had a discussion with people from Splunk IRC, and they helped me on that.
As the index is located on the search head itself, you need to add the "| localop " command to have access to it.
I was using it the wrong way, all events needed to be forwarded back to the indexers (using the outputs.conf).

Hope it could help someone else.

Thank you again,
Regards

View solution in original post

0 Karma

Alteek
Explorer

Hi LukeMurphey,

I was looking directly into the search head.

I had a discussion with people from Splunk IRC, and they helped me on that.
As the index is located on the search head itself, you need to add the "| localop " command to have access to it.
I was using it the wrong way, all events needed to be forwarded back to the indexers (using the outputs.conf).

Hope it could help someone else.

Thank you again,
Regards

0 Karma

LukeMurphey
Champion

Where are you searching for the notable events that it is returning no results? You are correct that notable events are on the search head only. Are they not showing up on your search head? Let me know and I'll write up a answer for you.

0 Karma