Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM-Compliance related questions

ND1
Explorer
‎06-09-2025 11:08 AM

Why is my Correlation Search not showing up in Incident Review?”

“How do I determine why a Correlation Search isn’t creating a notable event?”

Labels (1)
Labels
0 Karma
Reply

moorte
Explorer
‎06-19-2025 10:18 AM

The answers already given are spot on.  

When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate that it actually returns results.  Do a copy and paste from the search query in the correlation search to an SPL window to validate that you don't actually mistype things.

If you get results from the query, than you want to validate that adaptive response is set (in ES versions before Splunk 😎 to make a notable. 

In ES 8 you will want to make sure that event finding option is selected  The other type of finding goes into a risk score and will not actually create a finding for you in analyst queue.  

If none of that works, I tend to copy the correlation search query off to another safe location and replace the query with something that for sure will fire

index=_internal | head 1
| table index, sourcetype

Then see if that search will fire off an alert, if it doesn't you know that you have a configuration setting messed up in the correlation search.  

Hope this helps

0 Karma
Reply

tej57
Builder
‎06-19-2025 07:16 AM

Hey @ND1,

Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not.

Thanks,
Tejas.

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎06-09-2025 12:03 PM

@ND1 Most probably when an incident is not showing up, it's either suppression blocking the events or the notable action not being properly configured.

1. Check if notable events are being created:

index=notable earliest=-7d
| search source="*your_correlation_search_name*"

2. Check suppression settings:

| rest /services/saved/searches 
| search title="*your_correlation_search_name*" 
| table title, alert.suppress, alert.suppress.period


Try below:

If alert.suppress=1, try disabling suppression temporarily in ES > Content Management

Edit your correlation search and ensure "Notable" action is checked and saved

Test your correlation search manually first to confirm it returns results




If this Helps, Please Upvote.

 

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...