Splunk Enterprise Security

Why is there an increase in security notables event count?

umesh
Path Finder

Hi Team,

 

I have created a notable in the Splunk ES and i received a notable and i analyzed the notable and i can see 130 events in the raw logs. But after sometime if i analyse the same notable i can see that there is increase in the  count of events . Can i know what the issue is regarding the increase in the event count.

Thanks & Regards,

Umesh

Tags (2)
0 Karma

umesh
Path Finder

@gcusello  can you please help on this. when i click on the contributing events in notable alert it is showing count of 59 events and aftersometime when i analyse the same notable contributing events link  the event count is getting increased. Please i explain the reason why it is happening 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @umesh,

it should be analyzed in your installation, but probably because the search has latest=now, so in the meantime other events arrived.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...