Splunk oncloud not fetching updated events

Ganesh90 · ‎08-16-2023

Hi,

we have event ingestion scheduling at every 10 minutes to to fetch notable events data.

the problem here is once the notable record is created in ES import table and then we update the notable in ES console to escalate it for sir creation. It is not getting updated in the ES import table, hence not matching our escalation criteria

anyone faced this

Kireetivvs · ‎08-16-2023

Do you have the 'Pull updated notable events' enabled under the 'Splunk ES Settings' module ?

Ganesh90 · ‎08-16-2023

@Kireetivvs @This property is set to true, but still not getting updated events, polling time is set to 10 min. Initially it is fetching all the notables but once we update it in ES console it’s not getting fetched

Kireetivvs · ‎08-16-2023

Probably then the profile might not have any filter conditions set in the 'Mapping' section ? You will have to set the criteria in the filter condition for which a SIR incident creation is required.

Ganesh90 · ‎08-16-2023

Filter condition is there @Kireetivvs, SIR are getting created for the notable which are fetched for the first time and have matching filter condition

its just those notables already present is ES import table are not updating, hence filter condition not getting matched for SIR creation