Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM-Compliance related questions

ND1
Explorer
‎06-09-2025 11:08 AM

Why is my Correlation Search not showing up in Incident Review?”

“How do I determine why a Correlation Search isn’t creating a notable event?”

Labels (1)
Labels
0 Karma
Reply

moorte
Explorer
‎06-19-2025 10:18 AM

The answers already given are spot on.  

When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate that it actually returns results.  Do a copy and paste from the search query in the correlation search to an SPL window to validate that you don't actually mistype things.

If you get results from the query, than you want to validate that adaptive response is set (in ES versions before Splunk 😎 to make a notable. 

In ES 8 you will want to make sure that event finding option is selected  The other type of finding goes into a risk score and will not actually create a finding for you in analyst queue.  

If none of that works, I tend to copy the correlation search query off to another safe location and replace the query with something that for sure will fire

index=_internal | head 1
| table index, sourcetype

Then see if that search will fire off an alert, if it doesn't you know that you have a configuration setting messed up in the correlation search.  

Hope this helps

0 Karma
Reply

tej57
Builder
‎06-19-2025 07:16 AM

Hey @ND1,

Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not.

Thanks,
Tejas.

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎06-09-2025 12:03 PM

@ND1 Most probably when an incident is not showing up, it's either suppression blocking the events or the notable action not being properly configured.

1. Check if notable events are being created:

index=notable earliest=-7d
| search source="*your_correlation_search_name*"

2. Check suppression settings:

| rest /services/saved/searches 
| search title="*your_correlation_search_name*" 
| table title, alert.suppress, alert.suppress.period


Try below:

If alert.suppress=1, try disabling suppression temporarily in ES > Content Management

Edit your correlation search and ensure "Notable" action is checked and saved

Test your correlation search manually first to confirm it returns results




If this Helps, Please Upvote.

 

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...