Splunk Enterprise

Triggered Events generated by adding new Correlation Rules, shown in Top Notable Events (Security Posture) & not shown in the Incident Review Page


In Splunk ES, Correlation Rules Added with Adaptive Response Actions (Notables with specified Domain), when triggered, gets reported in the Top Notable Events in the Security Posture and not in the Incident Review. How to get the triggered events in the Incident Review Page ? Please help.

Tags (1)


Getting out the output in table format worked for me.

Thank you all !

0 Karma

New Member

I also face the same issue.

We have added more rules ES. And, when we add a new rule, we choose the option to create a “notable” under adaptive response actions as well as select an appropriate domain.

The new rules are successfully invoked and notable events are being generated. If we do a search es_notable_events, all notable events created are listed, however the new ones those are added, not getting listed under the any of the selected domains in the Incident Review. Also, if you do an advance search under the Incident Review pane, we could not find the notable those are generated.

We are also unable to assign these new notables to any of our analysts and also, further drill down search from the invoked rules seems to be incomplete.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!