Splunk Enterprise Security

The Notable Generation doesn't produce the expected results?

davidem
Explorer

Hi,

I created a new Correlation Search that needs to generate notable, so in the "Adaptive Response Actions" I added the "Notable" with all information.

Doing a manual search with the same time span as the correlation search, I've got the expected outputs. The problem is that the correlation search doesn't create the same number of notables.

For example: in a range time of 4 hours, the correlation search has generated 4 notables, instead, doing the manual search I've got 28 events.

Doing the search "index=_internal sourcetype=scheduler" in the same time range, I found the 28 events generated by the correlation search, of which, 24 with these parameters:

result_count=0
alert_actions=""
suppressed=0
status=success

and 4 with these parameters:

result_count=1
alert_actions="notable,risk"
suppressed=0
status=success

Why, if I do the manual search (the same as the correlation search) I've got 28 results, instead the correlation search generated only 4 notables?

 

Thank you

Labels (1)
0 Karma
1 Solution

davidem
Explorer

I changed the time range from (-6 , -5) to (-11 ,-10) and now the notable generation workes. There are some log sources with different delays. Thank you.

View solution in original post

hettervik
Builder

You haven't activated the alert throttling in the correlation search by chance? That could explain it.

Alternatively, if the alert run frequently over a small timespan, e.g. run each 5 minutes and searches in the last 5 minutes, and there's also a delay in the logs to Splunk, the alert could "miss" the logs. The solution to this would be to add a delay to the search, so that it e.g. searches from -10m to -5m instead of -5m to now.

0 Karma

davidem
Explorer

I changed the time range from (-6 , -5) to (-11 ,-10) and now the notable generation workes. There are some log sources with different delays. Thank you.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...