Splunk Enterprise Security

How do I find a list of correlation searches in ES or Splunk Ent. that are not working like missing macros etc...?

SamHTexas
Builder

Please help me with an SPL to locate Corr. searches that are in trouble , not working right. For example missing a macro or so. Thank u very much in advance.

Labels (1)
Tags (1)
0 Karma

lakshman239
Influencer

@SamHTexas   you can look at  index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.  Hope this helps.

SamHTexas
Builder

Thank u bro. for your message, do you have any good SPLs to share for this purpose? For Enterprise or ES? Thank u in advance.

Tags (1)
0 Karma

lakshman239
Influencer

Something like this will do in Splunk Core or ES.

index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search

 You can then adjust as per your setup and perhaps setup an alert/correlation search to show you  errors from macros/lookups within the correlation search in ES. 

0 Karma

manojannabathin
Loves-to-Learn Everything

how can check only skipped correlation search in splunk spl query


index=notable sourcetype=scheduler status!=success
| stats count as skipped_count by search_type user app savedsearch_name status

 

with this query i am getting all the skipped searches 

could you help me on this

TIA

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...