When we are enabling more than 200 correlation searches in the Splunk ES app, the Splunk security essentials app is not able to run the query for "Correlation search Introspection" in the 'Bookmarked content' dashboard page. It simply get struck with the page showing "gathering data...." . Any suggestions?, and this is search head cluster environment with ES app installed in SHC and we have deployed content using Splunk ES app, ESCU, SSE app. Hence the enabled security correlation searches numbers are coming around 250.
Agreed you are likely greatly exceeding your search dispatch capacity doing that. You should consult your splunk admin on what the available capacity is in your SHC with ES/Data model accelerations/User interactive search patterns etc are to decide remaining capacity.
Hi , thanks for your suggestions. As you said, Iam getting the below dispatch error message in my Splunk environment.
"Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=10059, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatchdirwarning_size. Learn more."
what are the recommended actions I can do in getting the SSE app configurations completed.
Thanks in advance.
Sorry for not answering your question directly.
An ES environment is not meant for enabling all the Correlation Searches you think might be fitting. Did you involve either Splunk or a partner to get a good approach on how to use ES? While Security Essentials is a very nice add-on containing much useful stuff, like ESCU, you can't just install it and expect the Correlation Searches to work out of the box.