Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Grouping Notable Events from MLTK alerts

psohn5295
Loves-to-Learn
‎07-28-2021 01:36 PM

Hello fellow Splunkers,

So my team has recently implemented the MLTK to track outliers and deviations in network events across several devices. Although I didn't set up the MLTK myself, it is running a query over 5 min intervals to allow analysts to quickly scope deviations from the baseline (upperbound, etc). 

All of this is completely fine, however, when we invoke a Notable Event in ES we are left with 24 iterations of the Notable Event (The MLTK requires a 2-hour interval to create a new baseline). Each notable representing a 5 min interval.

I was wondering if there is any method to group or cluster these notables into a single Notable Event. We are currently throttling the notable to 1 invocation per hour but this is obviously not a permanent solution as it can cause us to miss alerts that fire within an hour of the previous iteration.

Any insight into this would be extremely helpful.

Thanks!

Labels (1)
Labels
0 Karma
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎08-06-2021 10:01 AM

It sounds like you could use sequence templates:  https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Sequencecorrelationsearches

Let me know if that helps. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...