Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

correlation search not triggering

maheshnc
Path Finder
‎11-05-2025 04:12 AM

 I am running a spl query as below


index=o365 app=AzureActiveDirectory operation=UserLoggedIn | iplocation ClientIP | search Country!="United Arab Emirates" user!="Not Available" | table _time user ClientIP City Country app action signature src_ip user_agent | sort -_time

this query is fetching results when run in search and reporting app, but when I am using the same query to create a correlation it is not triggering any alert/notable (no events are populated) again if I copy paste the same query in Search and reporting it is not working, but when I keep addding one by one fileds to build same query, it is starts giving results, this is very strange behaviour, can somebody explain this?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-06-2025 11:17 PM

Normally I'd say that the searches are run in different contexts (app, maybe user) so they might have access to different sets of KOs. But I don't understand the part about "adding fields to the search" which makes it work.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎11-05-2025 04:55 AM

Hi @maheshnc 

When you copy the search back from the correlation search into Search and Reporting and run it but you get no result, how does the search differ compared to the original search you started with? 

What time period are you searching in your correlation search and how often? Are you throttling to prevent previous events from triggering a notable?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

maheshnc
Path Finder
‎11-05-2025 11:28 PM

This is where it is creating confusing for me,  I am not sure how it is happening, however to answer your query, I am using the same time period in CS as in the search and reporting and not throttling is enabled.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎11-06-2025 11:04 PM

Hi @maheshnc 

I'm very confused by this. 

So, you have a search which works in Search and Reporting app - you then copy the search to create a CS which does not work, you then copy the same search back out of the CS into S&R app and it works just fine?? 

*Something* must be different so we need to work out what! The earliest/latest is the same both times? What mode is the search running in (Fast/Smart/Verbose) ?

Have you done any custom field extractions for ClientIP anywhere? If this was only in one place and not shared globally then it might be that one app cannot extract the ClientIP which would cause the rest of the query to return nothing as the ip lookup would not work.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...