Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

correlation search not triggering

maheshnc
Path Finder
Wednesday

 I am running a spl query as below


index=o365 app=AzureActiveDirectory operation=UserLoggedIn | iplocation ClientIP | search Country!="United Arab Emirates" user!="Not Available" | table _time user ClientIP City Country app action signature src_ip user_agent | sort -_time

this query is fetching results when run in search and reporting app, but when I am using the same query to create a correlation it is not triggering any alert/notable (no events are populated) again if I copy paste the same query in Search and reporting it is not working, but when I keep addding one by one fileds to build same query, it is starts giving results, this is very strange behaviour, can somebody explain this?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Thursday

Normally I'd say that the searches are run in different contexts (app, maybe user) so they might have access to different sets of KOs. But I don't understand the part about "adding fields to the search" which makes it work.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Wednesday

Hi @maheshnc 

When you copy the search back from the correlation search into Search and Reporting and run it but you get no result, how does the search differ compared to the original search you started with? 

What time period are you searching in your correlation search and how often? Are you throttling to prevent previous events from triggering a notable?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

maheshnc
Path Finder
Wednesday

This is where it is creating confusing for me,  I am not sure how it is happening, however to answer your query, I am using the same time period in CS as in the search and reporting and not throttling is enabled.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Thursday

Hi @maheshnc 

I'm very confused by this. 

So, you have a search which works in Search and Reporting app - you then copy the search to create a CS which does not work, you then copy the same search back out of the CS into S&R app and it works just fine?? 

*Something* must be different so we need to work out what! The earliest/latest is the same both times? What mode is the search running in (Fast/Smart/Verbose) ?

Have you done any custom field extractions for ClientIP anywhere? If this was only in one place and not shared globally then it might be that one app cannot extract the ClientIP which would cause the rest of the query to return nothing as the ip lookup would not work.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...