Solved: Notable event index is empty.

gl_splunkuser · ‎04-09-2021

Hello everyone.

I am trying to deploy ESS, but I having some trouble with the notable events.

I can not see results at the Incident Review dashboard and this is because the notable event index is empty

I created a correlation search and as part of the adaptative response action a notable event had to be create.

But is not working, so I decided to run the search from de alert and there I can see results.

Also I followed the next guide https://docs.splunk.com/Documentation/ES/6.5.0/Admin/Troubleshootnotables

And I found this :

As you can see everything looks ok.

It is important to mention that some searches have been skipped, but not all of them and also I didn't change anything at the Splunk_SA_CIM, read that sometimes that can be a problem, but isn't my case.

Here a let a image of the result of this search index=_internal sourcetype=scheduler

I really don't know what is happening.

I will really appreciate the help.

Regards

scelikok · ‎04-10-2021

Hi @gl_splunkuser,

Is your Splunk standalone or distributed? If your Splunk instance is not standalone, you have to create notable index on your indexers.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

gl_splunkuser · ‎04-11-2021

That have a lot of sense.

Thank you so much.

scelikok · ‎04-10-2021

Hi @gl_splunkuser,

Is your Splunk standalone or distributed? If your Splunk instance is not standalone, you have to create notable index on your indexers.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Notable event index is empty.

field extraction

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?