Re: Grouping Notable Events from MLTK alerts

psohn5295 · ‎07-28-2021

Hello fellow Splunkers,

So my team has recently implemented the MLTK to track outliers and deviations in network events across several devices. Although I didn't set up the MLTK myself, it is running a query over 5 min intervals to allow analysts to quickly scope deviations from the baseline (upperbound, etc).

All of this is completely fine, however, when we invoke a Notable Event in ES we are left with 24 iterations of the Notable Event (The MLTK requires a 2-hour interval to create a new baseline). Each notable representing a 5 min interval.

I was wondering if there is any method to group or cluster these notables into a single Notable Event. We are currently throttling the notable to 1 invocation per hour but this is obviously not a permanent solution as it can cause us to miss alerts that fire within an hour of the previous iteration.

Any insight into this would be extremely helpful.

Thanks!

lkutch_splunk · ‎08-06-2021

It sounds like you could use sequence templates: https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Sequencecorrelationsearches

Let me know if that helps.

Grouping Notable Events from MLTK alerts

using Enterprise Security

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!