Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Usecases, content ES and Source types- Could someone explain how this works with content that comes with ES?

tokio13
Path Finder
‎09-15-2022 12:35 AM

Hello everyone,

I'd appreciate if anyone could step in to help me with an unclarity that I have.

For use cases (anything in the Enterprise Security > content),  I have found out that for the NEW correlation searches that will be created I can use macros or eventtypes/tags in my correlation search to address all existing source types AND new source types that might be onboarded to have all my use cases (CSs up to date).

Could someone explain, how is this working with the content that comes by default with Enterprise Security? How do those out-of-the-box correlation searches (saved searches and all the others) know how to look into data from my source types if the source types aren't specified? 

Thank you in advance to anyone that will take they time to make this clear to me

Labels (2)
Labels
0 Karma
Reply

tokio13
Path Finder
‎09-15-2022 04:56 AM

So basically unless the correlation searches that come by default out-of-the-box with Enterprise Security are being modified/customized they won't apply straight forward to the logs that are being forwarded from the nodes?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 05:10 AM

Hi @tokio13,

the most of them are applied to datamodels, to have better performances especially having large volume of data, but there are some of them directly applied to indexes (not many!).

Anyway, also after customization they continue to use datamodels, as I said in this way you have better performaces.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 12:52 AM

Hi @tokio13,

at first, if you need to customize a Correlation Search I hint to clone it and work on the cloned one, don't customize the existing one, yes it's saved in local so it will not be ovewritten on the next update, but it s a best practice.

Then you can take your CS and run it in a the search dashboard viewing the results.

If it uses a datamodel and you cannot see the sourcetypes because it isn't displayed, you can see in the datamodel data running a simpe search on the data contained in that datamodel so you can see the sourcetype, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/From

If it don't use a datamodel, you can run the main search and see the sourcetype.

If it uses a macro, you can see the macro or in the job inspector you have the full search.

ES usually uses datamodel or macros or both.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...