Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Usecases, content ES and Source types- Could someone explain how this works with content that comes with ES?

tokio13
Path Finder
‎09-15-2022 12:35 AM

Hello everyone,

I'd appreciate if anyone could step in to help me with an unclarity that I have.

For use cases (anything in the Enterprise Security > content),  I have found out that for the NEW correlation searches that will be created I can use macros or eventtypes/tags in my correlation search to address all existing source types AND new source types that might be onboarded to have all my use cases (CSs up to date).

Could someone explain, how is this working with the content that comes by default with Enterprise Security? How do those out-of-the-box correlation searches (saved searches and all the others) know how to look into data from my source types if the source types aren't specified? 

Thank you in advance to anyone that will take they time to make this clear to me

Labels (1)
Labels
0 Karma
Reply

tokio13
Path Finder
‎09-15-2022 04:56 AM

So basically unless the correlation searches that come by default out-of-the-box with Enterprise Security are being modified/customized they won't apply straight forward to the logs that are being forwarded from the nodes?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 05:10 AM

Hi @tokio13,

the most of them are applied to datamodels, to have better performances especially having large volume of data, but there are some of them directly applied to indexes (not many!).

Anyway, also after customization they continue to use datamodels, as I said in this way you have better performaces.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 12:52 AM

Hi @tokio13,

at first, if you need to customize a Correlation Search I hint to clone it and work on the cloned one, don't customize the existing one, yes it's saved in local so it will not be ovewritten on the next update, but it s a best practice.

Then you can take your CS and run it in a the search dashboard viewing the results.

If it uses a datamodel and you cannot see the sourcetypes because it isn't displayed, you can see in the datamodel data running a simpe search on the data contained in that datamodel so you can see the sourcetype, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/From

If it don't use a datamodel, you can run the main search and see the sourcetype.

If it uses a macro, you can see the macro or in the job inspector you have the full search.

ES usually uses datamodel or macros or both.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...