Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How Splunk Searches tsidx files in getting results

aashiqwork
Explorer
‎07-29-2020 01:40 AM

Hi All,

I am a newbie to Splunk Enterprise Security and currently I am trying my hands on Splunk ES to explore more on the SIEM areas.

I have couple of questions on basic working principles on CIM and correlation searches.

I understand once we normalize the incoming data according to CIM compatible. Splunk automatically links with the particular datamodel based on tags for example Malware_Attacks datamodel links the incoming data(Indexed and normalized data which is available in index named test) with tags malware and attack. and also the datamodel acceleration is enabled.

In this scenario for correlation searches the tstats command looks into the tsidx file to get the search results. My question here is how Splunk scans multiple indexes in my case the data is available in test index and there may be indexes called test1, test2 and all of these indexes has CIM compatible data for Malware.

Whether of all these data in each of the indexes compiled into one tsidx files for each datamodel or it uses different techniques to scan each of the indexes for getting the result.

Please correct if any of my above understanding is incorrect.

Your help is appreciated !!!

Thanks

Aashiq

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎07-29-2020 07:55 AM

I believe if you're getting data from a endpoint protection systen or an EDR, you should look into storing them in the same index, with different sourcetypes, unless you're ingesting sysmon, regmon, profmon logs etc, in which case different indexes for them would be fine.

To answer your question, if you want Splunk to search in multiple indexes for Malware related data to collect for your datamodel, you can always edit the CIM configuration, and under Malware, add the name of those indexes and click save.

 

After this change, Splunk will bag and tag the required data from all of your Indexes for you. Your tstats command should start giving you the accurate results. Hope this helps.

Thanks,

S

Disclamier: If it helps you, please accept it as a solution.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎07-29-2020 07:55 AM

I believe if you're getting data from a endpoint protection systen or an EDR, you should look into storing them in the same index, with different sourcetypes, unless you're ingesting sysmon, regmon, profmon logs etc, in which case different indexes for them would be fine.

To answer your question, if you want Splunk to search in multiple indexes for Malware related data to collect for your datamodel, you can always edit the CIM configuration, and under Malware, add the name of those indexes and click save.

 

After this change, Splunk will bag and tag the required data from all of your Indexes for you. Your tstats command should start giving you the accurate results. Hope this helps.

Thanks,

S

Disclamier: If it helps you, please accept it as a solution.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2020 06:30 AM

When you use tstats to search a data model, the DM knows which indexes to use and will open the appropriate tsidx files.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...