notable index not populating events for Splunk ent...

Arun · ‎02-04-2021

Can anyone help me im understanding why the notable events are not getting populated on splunk enterprise security.

Ive reinstalled the enterprise security app to see if that fixs the problem. But no luck.

Also ive enabled the corelation searches that are shipped by default by the app. The CS search returns the event result when explicitly searched but when the scheduled toh run no notable events are generated. I manually tired creating a notable events. still i do not see any of the notable events in security posture or other tabs.

To validate ive checked the notable index (i.e. index="notable") but even the notable index returns 0 events.I tried all but no luck.

Can someone help we you understanding what is causing the issue

scelikok · ‎02-04-2021

i @Arun,

If you are using indexer cluster, you should have create indexes that ES will use on your indexers. notable index is one of these. Could you please check if you may miss this step?

https://docs.splunk.com/Documentation/ES/6.4.1/Install/Indexes

If this reply helps you an upvote and "Accept as Solution" is appreciated.

lkutch_splunk · ‎02-04-2021

Let me know if this helps:
https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables

notable index not populating events for Splunk enterprise security appurity app

correlation search

notable event

using Enterprise Security

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor