Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM-Compliance related questions

ND1
Explorer
‎06-09-2025 11:08 AM

Why is my Correlation Search not showing up in Incident Review?”

“How do I determine why a Correlation Search isn’t creating a notable event?”

Labels (1)
Labels
0 Karma
Reply

moorte
Explorer
‎06-19-2025 10:18 AM

The answers already given are spot on.  

When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate that it actually returns results.  Do a copy and paste from the search query in the correlation search to an SPL window to validate that you don't actually mistype things.

If you get results from the query, than you want to validate that adaptive response is set (in ES versions before Splunk 😎 to make a notable. 

In ES 8 you will want to make sure that event finding option is selected  The other type of finding goes into a risk score and will not actually create a finding for you in analyst queue.  

If none of that works, I tend to copy the correlation search query off to another safe location and replace the query with something that for sure will fire

index=_internal | head 1
| table index, sourcetype

Then see if that search will fire off an alert, if it doesn't you know that you have a configuration setting messed up in the correlation search.  

Hope this helps

0 Karma
Reply

tej57
Builder
‎06-19-2025 07:16 AM

Hey @ND1,

Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not.

Thanks,
Tejas.

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎06-09-2025 12:03 PM

@ND1 Most probably when an incident is not showing up, it's either suppression blocking the events or the notable action not being properly configured.

1. Check if notable events are being created:

index=notable earliest=-7d
| search source="*your_correlation_search_name*"

2. Check suppression settings:

| rest /services/saved/searches 
| search title="*your_correlation_search_name*" 
| table title, alert.suppress, alert.suppress.period


Try below:

If alert.suppress=1, try disabling suppression temporarily in ES > Content Management

Edit your correlation search and ensure "Notable" action is checked and saved

Test your correlation search manually first to confirm it returns results




If this Helps, Please Upvote.

 

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...