Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security and Notable Events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I"m running the Enterprise Security app and I"m facing the following issue:
Notable events or Incidents are created on the Search Head, and stored localy on it (in the "notable" index for instance).
I can see that there is events on this index, but I'm not able to search for them (index=notable return no result).
1) Do I have to modify something ?
2) Do I have to generate these events on the indexers and not the search head ?
Thank you<
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi LukeMurphey,
I was looking directly into the search head.
I had a discussion with people from Splunk IRC, and they helped me on that.
As the index is located on the search head itself, you need to add the "| localop " command to have access to it.
I was using it the wrong way, all events needed to be forwarded back to the indexers (using the outputs.conf).
Hope it could help someone else.
Thank you again,
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi LukeMurphey,
I was looking directly into the search head.
I had a discussion with people from Splunk IRC, and they helped me on that.
As the index is located on the search head itself, you need to add the "| localop " command to have access to it.
I was using it the wrong way, all events needed to be forwarded back to the indexers (using the outputs.conf).
Hope it could help someone else.
Thank you again,
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are you searching for the notable events that it is returning no results? You are correct that notable events are on the search head only. Are they not showing up on your search head? Let me know and I'll write up a answer for you.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
