Thanks for the responses lakshman239 and tiagofbmm. Here is some additional information.
I see notable events using the macro, and just searching the index. I see them from before and after the missing notable event, both in general and for the specific alert.
The KV store is running and shows no error in status. The notable index and Windows index have longer retention policies setup, are not full, and have events prior to the ones that are missing. Indexer cluster shows no issues with search or replication issues.
I don't seen the original events that would have triggered the alert in Splunk, which is part of the issue I'm trying to understand. The alert should trigger off of Windows events for group additions. I can see the following info:
- In Splunk, I see Windows events from the specific host, where other users were added to the specific group, before and after.
- In Splunk, I see Windows events from the specific host, where the specific user was added to other groups, before and after.
- The notification email sent does not have details on the event configured, it just sent in the alert name. However, the person originally looking described a specific user being added to a specific group on a specific host at a specific time based on what they were seeing in Splunk. They did not have access to the Windows host.
- On the local host itself, we are able to confirm that the specific event happened with the details the other person originally saw in Splunk, at the time they mentioned.
- The day after making those notes, neither the original user nor anyone else could find the notable event or the Window event that generated it.
The information appears to have been in Splunk, but is now missing. Original person described details they couldn't have known without it being available in Splunk, and those details were verified so its not like they were just mistaken.
... View more