Splunk Enterprise Security

Why is there an increase in security notables event count?

umesh
Path Finder

Hi Team,

 

I have created a notable in the Splunk ES and i received a notable and i analyzed the notable and i can see 130 events in the raw logs. But after sometime if i analyse the same notable i can see that there is increase in the  count of events . Can i know what the issue is regarding the increase in the event count.

Thanks & Regards,

Umesh

Tags (2)
0 Karma

umesh
Path Finder

@gcusello  can you please help on this. when i click on the contributing events in notable alert it is showing count of 59 events and aftersometime when i analyse the same notable contributing events link  the event count is getting increased. Please i explain the reason why it is happening 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @umesh,

it should be analyzed in your installation, but probably because the search has latest=now, so in the meantime other events arrived.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...