All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

high number of correlation searches - Not supported

mantony52
Engager
‎01-02-2020 03:32 AM

When we are enabling more than 200 correlation searches in the Splunk ES app, the Splunk security essentials app is not able to run the query for "Correlation search Introspection" in the 'Bookmarked content' dashboard page. It simply get struck with the page showing "gathering data...." . Any suggestions?, and this is search head cluster environment with ES app installed in SHC and we have deployed content using Splunk ES app, ESCU, SSE app. Hence the enabled security correlation searches numbers are coming around 250.

Kindly suggest.

0 Karma
Reply

skalliger
Motivator
‎01-04-2020 04:59 AM

Sorry for not answering your question directly.

An ES environment is not meant for enabling all the Correlation Searches you think might be fitting. Did you involve either Splunk or a partner to get a good approach on how to use ES? While Security Essentials is a very nice add-on containing much useful stuff, like ESCU, you can't just install it and expect the Correlation Searches to work out of the box.

Skalli

0 Karma
Reply

gfreitas
Builder
‎01-02-2020 08:12 AM

What status does it show on the jobs window? It might be the case there are so many searches that it got queued.

0 Karma
Reply

starcher
Influencer
‎01-03-2020 09:12 AM

Agreed you are likely greatly exceeding your search dispatch capacity doing that. You should consult your splunk admin on what the available capacity is in your SHC with ES/Data model accelerations/User interactive search patterns etc are to decide remaining capacity.

0 Karma
Reply

mantony52
Engager
‎01-04-2020 12:05 AM

Hi , thanks for your suggestions. As you said, Iam getting the below dispatch error message in my Splunk environment.
"Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=10059, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size. Learn more."

what are the recommended actions I can do in getting the SSE app configurations completed.
Thanks in advance.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...