Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Notables Are Not Being Created

daniaabujuma
Explorer
‎09-06-2023 04:57 AM

Hi Splunkers!

I am using Splunk Enterprise Security, and creating correlation searches, one of them I have created and tested manually by running the search over a specific period of time, many events matched, but no notable events are being created. To test my correlation, I have added another action (send email) when the correlation is triggered, and sure enough, an email was sent to me.

Can anyone help me solve this issue?

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 05:01 AM

Hi @daniaabujuma,

a very stupid question: did you created as Requested Action the Notable creation?

Notable Creation isn't enabled by default.

If yes, check the parameters you used.

Ciao.

Giuseppe

0 Karma
Reply

daniaabujuma
Explorer
‎09-06-2023 05:05 AM

Hi @gcusello ,

Thanks for the reply.

This is what I did, it works every time without issues but I noticed that recently the newly created correlations aren't creating notables when triggered.

daniaabujuma_0-1694001861474.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 05:08 AM

Hi @daniaabujuma,

check if the options in the Notable crattion are the same of other Notables that are usually triggered.

Ciao.

Giuseppe

0 Karma
Reply

daniaabujuma
Explorer
‎09-06-2023 05:25 AM

Hello @gcusello ,

Yes everything is the exact same

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 05:28 AM

Hi @daniaabujuma,

check the Correlation Search Name: it must be different than others, otherwise you cannot distinguish it from the others.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...