All Apps and Add-ons

high number of correlation searches - Not supported

mantony52
Engager

When we are enabling more than 200 correlation searches in the Splunk ES app, the Splunk security essentials app is not able to run the query for "Correlation search Introspection" in the 'Bookmarked content' dashboard page. It simply get struck with the page showing "gathering data...." . Any suggestions?, and this is search head cluster environment with ES app installed in SHC and we have deployed content using Splunk ES app, ESCU, SSE app. Hence the enabled security correlation searches numbers are coming around 250.

Kindly suggest.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Sorry for not answering your question directly.

An ES environment is not meant for enabling all the Correlation Searches you think might be fitting. Did you involve either Splunk or a partner to get a good approach on how to use ES? While Security Essentials is a very nice add-on containing much useful stuff, like ESCU, you can't just install it and expect the Correlation Searches to work out of the box.

Skalli

0 Karma

gfreitas
Builder

What status does it show on the jobs window? It might be the case there are so many searches that it got queued.

0 Karma

starcher
SplunkTrust
SplunkTrust

Agreed you are likely greatly exceeding your search dispatch capacity doing that. You should consult your splunk admin on what the available capacity is in your SHC with ES/Data model accelerations/User interactive search patterns etc are to decide remaining capacity.

0 Karma

mantony52
Engager

Hi , thanks for your suggestions. As you said, Iam getting the below dispatch error message in my Splunk environment.
"Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=10059, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size. Learn more."

what are the recommended actions I can do in getting the SSE app configurations completed.
Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...