Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How To optimize eps aggregation and filtration in splunk

etaihellman
Engager
‎05-06-2021 12:40 PM

Hello guys,

i'm working with a costumer which wants to replace arcsight with splunk.

we're moving some systems from the arcsight and while we added "Fireglass" (by symantec) to monitoring we saw extreme growth in the license which almost caused to violations.

while digging in at the logs we saw that some sites, like youtube takes something like 1000 events for time frame of 1 minute. looking deeper i could see that all the video\audio traffic was sent as well. the customer told me that in Arcsight there's an option for "aggregation and filtration", which he can take the number of logs which are the same and merge them as one event, and ingest the whole traffic.

here's an explanation about the operation from the Arcsight side:

ArcSight. Optimizing EPS (Aggregation and Filtration) - SOC Prime

my question: can i make something like this with splunk? with a license of 100G the fireglass takes like 60G.

thanks in advance 

Etai 🙂

Labels (3)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...