Why is Splunk ES Contributing Events not seeing ma...

burakatabay · ‎04-30-2019

Hi splunkers,
My question is Why I not see Contributing Events in All incidents ?

I want to go directly to the event by pressing the Contributing Events.

How ı see Contributing Events in all incidents ?
Have a good day.

smoir_splunk · ‎04-30-2019

If the search generating the alert relies on aggregates, there might not be any contributing events to show.

For example, if the search is performing a |stats count and alerting where count>4, it's relying on aggregates of 4 events, it doesn't necessarily keep track of what those 4 specific events were. But if it's alerting on |search threat_intel=calc.exe, there are specific contributing events available. (Examples for illustrative purposes only)

So there are some searches that will have contributing events available, but not all of them do.

burakatabay · ‎04-30-2019

Thank you for answer 🙂

TheSplunkDude · ‎06-25-2019

Also make sure you have a value in the Drill-down Name (and Drill -Down Search) in the Notable event for the correlation search.

Why is Splunk ES Contributing Events not seeing many incidents?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio