Hello, For your awareness my architecture consist of 1SH, 1 Enterprise Security SH, Cluster of 3 indexes, deployment server with a cluster master, license master, and MC. I noticed there are no Notable Events being populated into my notable index. I created events that matched the correlation searches I turned on and also ran those CS searches in search separately to ensure it picked up the events I created. I validated the data models with pivot to ensure data was populating. I also tried to created a manual notable event and nothing showed up in Incident Review. Upon looking at the indexes in the setting menu I see a notable index but nothing is getting populated, likely because I am searching off my index cluster. My deployment server is only managing my core Splunk search head and the I read somewhere that the Splunk_SA_CIM app needs to have a index.conf for notable events to be place locally on ES. Can someone please provide some thoughts or suggestions. Thanks in advance..
... View more