notable index not populating events for Splunk ent...

Arun · ‎02-04-2021

Can anyone help me im understanding why the notable events are not getting populated on splunk enterprise security.

Ive reinstalled the enterprise security app to see if that fixs the problem. But no luck.

Also ive enabled the corelation searches that are shipped by default by the app. The CS search returns the event result when explicitly searched but when the scheduled toh run no notable events are generated. I manually tired creating a notable events. still i do not see any of the notable events in security posture or other tabs.

To validate ive checked the notable index (i.e. index="notable") but even the notable index returns 0 events.I tried all but no luck.

Can someone help we you understanding what is causing the issue

scelikok · ‎02-04-2021

i @Arun,

If you are using indexer cluster, you should have create indexes that ES will use on your indexers. notable index is one of these. Could you please check if you may miss this step?

https://docs.splunk.com/Documentation/ES/6.4.1/Install/Indexes

If this reply helps you an upvote and "Accept as Solution" is appreciated.

lkutch_splunk · ‎02-04-2021

Let me know if this helps:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables

notable index not populating events for Splunk enterprise security appurity app

correlation search

notable event

using Enterprise Security

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation